Users of this summer’s craze, Pokémon GO, have been discovering a number of personal risks while playing – notably, falling off cliffs or even wandering in front of traffic.
But what about business risks? If an employee uses their personal phone (even if they don’t play Pokémon GO) for work email (e.g. BYOD), are they unknowingly introducing risk to their employer?
Even worse, are they risks that the business isn’t aware of or prepared to handle?
There is a clear risk involved with BYOD, but beyond malicious apps there are subtler risks at play here.
In order to play Pokémon GO, users agree to allow app developer Niantic to track their location, and access their camera and “certain personal information that your privacy settings on the applicable account permit us to access”.
>See also: Gotta hack em’ all: Pokemon Go, security, and privacy awareness
Even more concerning are other parts of the Pokémon GO ‘Terms of Service’ that users must agree to in order to play the game.
This includes the statement, ‘By making any User Content available through the Services, you grant to Niantic a nonexclusive, perpetual, irrevocable, transferable, sub licensable, worldwide, royalty-free license to use, copy, modify, create derivative works based upon, publicly display, publicly perform, and distribute your User Content.”
But those are terms that seem out of place on a device with proprietary business information and sensitive customer content.
But we can segment the corporate data from game data, right? Perhaps on as iOS device, where Apple’s sandboxing is solid – but what if your employee, intentionally or otherwise, uses their Gmail account for work e-mail? What if the employee uses the same password for their Gmail or Facebook account as Active Directory?
The easiest way to sign up for Pokémon GO is to use your Gmail account or Facebook account, and even if password re-use isn’t relevant, you’ve just provided your Facebook or Gmail account password to a gaming company.
Gaming companies aren’t immune to compromise, which could put all kinds of personal and professional information at risk, particularly when Facebook accounts are threatened.
While figures are not released on the percentage of people who give up their Facebook account password, given the number of people playing the game it has to be a pretty wide net. That sounds like pretty juicy information for someone to use (be it for good or evil).
>See also: Augmented reality: a revolution?
The primary risk to businesses is password re-use. While we can assume that Niantic doesn’t plan to exploit Gmail and Facebook account credentials, we can assume that they will be targeted by malicious actors who do plan to exploit said credentials.
If someone were to compromise personally identifiable information (PII) from Niantic, the amount of business-specific information harvested could be significant – particularly if there is a lag between the compromise, detecting the breach and public disclosure.
If a company’s employees are using the same password for Gmail or Facebook as they are for Office 365, and Niantic gets hacked – it’s in trouble.
We need to make peace with the fact that we’re owned by every device we depend on, and that these devices are already a utility for work, health and play.
Trying to force a single application to suit solely business interest will likely be counterproductive. Security professionals and business leaders should be looking for technology solutions which will support the user’s interests, as well as the business requirements.
Sourced from Sam Stover, head of applied research, Cyber adAPT
