Avatar photo


Author Bio ▼

Adam Bannister is a contributor to IFSEC Global, having been in the role of Editor from 2014 through to November 2019. Adam also had stints as a journalist at cybersecurity publication, The Daily Swig, and as Managing Editor at Dynamis Online Media Group.
July 19, 2016

Sign up to free email newsletters


Whitepaper: Multi-residential access management – The move to digital

Pokémon Go Security Risks Flagged by CIA, Gulf States and Data Security Experts

Even by the standards of online viral trends, Pokemon Go’s trajectory is quite astonishing.

Within a week of launch the augmented-reality mobile exploration game could boast 20 million downloads. To put that into some sort of context, it’s twice the number achieved by dating app Tinder over a timescale 208 times as long (four years), while the number of daily active users accrued over 10 years by Twitter was surpassed in just seven days.

For those still unfamiliar with the game mechanics of an app generating a staggering $1.6m per day for Niantic and partners – Nintendo, Google and the Pokemon Company – Pokemon Go melds the real world with the world of Pokemon, the colourful, diminutive creatures that first appeared on the Nintendo Game Boy in 1995.

Players are tasked with ‘catching’ as many of the 250 Pokemon characters as they can, which they track down through Google Maps. Once located the Pokemon are superimposed onto the smartphone screen and captured when the player hits them with ‘poke balls’.

So overwhelming has demand been that the servers powering the gaming environment have frequently crashed. But if the game’s developers, Niantic Labs, are frantically scrambling to upgrade server capacity, then might they neglect mounting cyber security concerns?

And the cyber threat is not the only security issue to arise from the latest viral gaming craze.

pokemon go

US government drafts Pokemon dos and don’ts

The US government was sufficiently concerned about the national security threat posed by Pokemon Go to issue guidelines for playing the game to US military and intelligence personnel (see below).

Government and military employees are already advised to exercise caution in what they share on social media, write in emails or discuss in public. Augmented reality games and geolocation apps represent another new front in the battle to guard classified information. Atlas Obscura reported that an anonymous member of the military asked the Pokemon Go Reddit community for advice on whether playing the game might breach operations security (OPSEC) rules. “Currently deployed in Afghanistan and wanna Catch em’ All. Anyone see any concerns or problems with Opsec regarding base location ect [sic] before I download and get Poke-weird all over the base?” he wrote.

Fatwas and espionage warnings 

The Pokemon Go craze has also alarmed authorities in several Gulf States. Although the game has yet to be launched in the region, some enterprising citizens have downloaded the app via VPN connections or third-party sites. Alarmed by this development Kuwait’s Interior Ministry issued a statement on 14 July warning players not to take pictures of government buildings, military bases, oil facilities, mosques and shopping centres. The UAE Telecommunications Regulatory Authority has warned residents that “criminals can use the app’s geolocation features to target the victims. Those features alongside the phone’s camera make users vulnerable to hackers’ attacks.” Egyptian authorities, meanwhile, are considering introducing new regulations for online games. Hani al-Nazer, former president of the National Research Centre, has warned that Pokemon Go “could be used for espionage and information -athering”. Abbas Shuman, deputy head of Egypt’s top Islamic institution, al-Azhar, objected to the game on rather different grounds: “This game makes people look like drunkards in the streets and on the roads while their eyes are glued to the mobile screens,” he is reported as saying. There were also rumours – denied by Egypt’s state-owned news agency, al-Ahram – that al-Azhar had issued a fatwa proscribing Pokemon Go as un-Islamic. In 2001 Al-Azhar issued a fatwa against the original Pokemon game for promoting “Darwinian ideas” (Pokemon characters ‘evolve’ into different forms). The game “instills in the child’s mind fictions that have no basis and supernatural [creatures] that don’t exist in nature,” the edict said.

Armed robbers lie in wait

The GPS-tracking dimension has also sparked fears about personal as well as state security, with some commentators warning that peadophiles could exploit the game.

Enterprising armed robbers in Missouri have already capitalised. State police have warned that armed robbers have lain in wait for for Pokémon hunters at Pokestops (where high concentrations of Pokemon are found).

“It is believed these suspects targeted their victims through the Pokémon Go smartphone application,” warned a post on the Missouri police force Facebook page. “If you use this app (or other similar type apps) or have children that do we ask you to please use caution when alerting strangers of your future location.”

Gamers, it seems, can even be a danger to themselves. Stories of distracted gamers wandering into danger are already legion, with one man crashing his car into a tree, two players falling off a cliff and several youngsters being stranded in underground caves, to name just tree examples.

One teenager from Wyoming even found a dead body while hunting for Pokemon.

For more on the health and safety risks posed by Pokemon Go, read this wry take on the game from our sister publication SHP.

Pokemon hunters swamp police station

Pokemon Go enthusiasts triggered a security alert when they descended on the headquarters of Leicestershire’s police force.

Baffled police officers were initially unaware of why the group began taking photos around the building, something the authorities now discourage amid the heightened terror threat.

The force has since issued a statement warning Pokemon hunters against playing outside police stations and other civic buildings.

Data privacy fears

In a Tumblr post Adam Reeve, a security analyst, has noted that players who sign in through Google are inadvertently surrendering all of their personal data from Google to Niantic Labs. Users were not given any indication that Niantic Labs would gain access to their personal data by default.

iOS users are apparently given no option to edit privacy permissions, while the game doesn’t even appear under Google’s security permissions. The Google Play store does state that Pokemon Go will gain “full network access”, which Google says grants applications the authority to “modify nearly all information in your Google account.”

Asked to address privacy concerns by gaming website Polygon, Niantic issued the following statement:

“We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.”

Rogue imitators

Meanwhile, security firms have warned that fake versions of Pokemon Go are downloading malware and ransomware onto users’ phones.

The game’s staggered release – only residents of 34 countries can officially download it at present – has seen impatient gamers resort to myriad copycat apps.

Cyber security company RiskIQ discovered 215 rogue versions of Pokemon Go on the Google Play app store.

“Had Pokémon Go been released globally (since people everywhere are playing it), no one would have felt the need to visit third party sites,” Tyler Reguly, manager of software development at Tripwire, told Newsweek . “The websites hosting this content are often plagued by drive-by attacks and malware. Incorporating this into the actual download is a logical expansion.”

Such is the game’s popularity that Reguly thinks many users might even see malware as a price worth paying to get a foothold in the Pokemon universe.


Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.


Related Topics

Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
July 26, 2016 5:00 pm

I do not like the whole idea of Pokemon Go!  It just seems like one more level of personal security exposures.  I see it, also, as a potential for a national security risk by having people run around it places where they have no business including trespassing issues, not to mention, a bunch more people running around with their eyes on a small screen not being aware of their surroundings.  Not being aware of ones surrounds brings about an array of dangerous potential issues.  Just About Everything® for Shooting, Hunting and the Outdoors https://www.midwayusa.com/checkout/OrderConfirmation?invoiceId=30300744&phoneId=350140&shipDate=07%2F25%2F2016%2000%3A00%3A00&electronicOnly=False&giftCertificatePurchased=False&giftCertificateAmountApplied=0&midwayMoneyApplied=0&hasPreviousInvoice=True#header-nav https://www.midwayusa.com/checkout/OrderConfirmation?invoiceId=30300744&phoneId=350140&shipDate=07%2F25%2F2016%2000%3A00%3A00&electronicOnly=False&giftCertificatePurchased=False&giftCertificateAmountApplied=0&midwayMoneyApplied=0&hasPreviousInvoice=True#headerskip https://www.midwayusa.com/checkout/OrderConfirmation?invoiceId=30300744&phoneId=350140&shipDate=07%2F25%2F2016%2000%3A00%3A00&electronicOnly=False&giftCertificatePurchased=False&giftCertificateAmountApplied=0&midwayMoneyApplied=0&hasPreviousInvoice=True#footer search https://www.midwayusa.com/account/profile https://www.midwayusa.com/cart https://www.midwayusa.com/cart… Read more »