Even the most technically uninterested cannot have failed to have heard about Pokemon GO, the new mobile game that integrates the much loved characters from the 90s card trading game and the until now niche technology of augmented reality. This blend has got literally thousands of game players leaving the confines of their home and heading out into the real world to track down all varying shapes and sizes of Pokemon.
News reports have been covering the ‘massing’ of players in all manner of locations, from parks to churches in order to continue their quest. Nintendo, the manufacturer behind Pokemon GO, should be congratulated on mobilising what has been up to now a relatively sedentary game playing populous. But with any new technology, and Pokemon GO is no exception, very quickly flaws are found in it that can be exploited by cyber thieves.
There have been a few articles on the cyber risk associated with Pokemon GO, but the one that caught my eye was published by CNBC. Their analysis, aided by Check Point Software Technologies, was that because the game became an almost instant hit, one that took even Nintendo by surprise, it was not released simultaneously around the globe. This led eager game players in countries that were further down the release schedule willing to download the game from unverified third-party app stores, which could expose them to downloading malicious apps that may be used to steal sensitive information or spy on the user.
The article explained how Cybercriminals can actually repackage the Pokemon GO app for Android, and turn it into a malware, which contain remote access tools allowing the attacker to take control of the unsuspecting user’s smartphone. This is in my mind a very good example of social engineering, and I must admit to having a small amount of admiration for the criminals behind this scam. They could see the market desire for a product, that the manufacturer could not fill, so stepped into scam the unsuspecting players who simply could not wait for the official release.
Is this a lesson for the manufacturer, or the consumer? Actually both, If Nintendo had either had a global release, or conversely had warned users over downloading from illegal sites, then perhaps some of the victims would have been better informed. Consumers should also learn to only obtain products from the manufactures directly, or via their approved distribution mechanisms. This is no different to ‘knock off’ products being sold out of the back of a van, it’s just a digital equivalent. Let’s just hope that when the Pokemon GO fever dies down a bit, and it will, that lessons can be learned.
The Pokemon GO story is a good example of what is being terms a cyber security ‘blind spot’ something that is difficult to predict or to spot. This term was explored by TechTarget on their website recently as they looked at how blind spots can occur. They quote examples of how medical device companies cannot take a security patch and apply it immediately. It has to be validated first, else there can be a greater risk.
However, this does lead to a period of time where there is a known technical vulnerability, that could be exploited. Their suggested solution, based on comments at a recent conference is to have a continually updated risk profiles available so that security teams can proritse their efforts and get in front of issues before they fully erupt.
Famed for blind spots, are cars, but hopefully the next generation of sensor laden cars will make these a thing of the past. As cars continue to become computers on wheels, manufacturers are worried that they will have a whole host of additional cyber issues to deal with.
NBC picked up the challenge that car manufacturers now face and explained that more and more of them are turning to hackers for help. With modern vehicles using more than 100 million lines of code to control everything from the engine management system to the onboard infotainment technology, they are using the same level of processing power that would be found in a typical home or office. With that comes vulnerabilities. Obviously the car manufacturers want to do everything they can to prevent the nightmare scenario of cars being remotely hacked into and taken control of by criminals. Or that criminals use the technology within a car as a gateway to connect into a user’s phone or other device, lifting valuable data from it.
By turning to the hacker community, through the increasing use of bug bounty hunting schemes, they hope to solve this issue. With an estimated 32,000 hackers around the world, this collective knowledge and crowdsourcing approach to risk mitigation can be incredibly effective. That assumes of course that all those hackers are actually willing to hunt bugs and are not being distracted by hunting Pokemon!
For links to all these stories and more, or to contribute with some comments join us by searching for the National Cyber Skills Centre on our social channels of FaceBook, LinkedIn and Twitter, or just click the relevant links from our website.