BYOD or BYOPG (Bring Your Own Pokémon Go) could be opening up holes in your network security. Financialexecutives.org reports that vulnerabilities could arise from PG players using corporate accounts or devices to play the game.

Employees chasing virtual monsters may be opening real-world security holes in corporate networks.

The widespread popularity of the augmented reality app Pokémon Go has turned the app into a cultural phenomenon, but security researchers say the use of corporate email accounts or devices by players may create security challenges for organizations.

According to cloud platform provider CloudLock, the first release of the Pokémon Go app, which launched in the United States in early July, requested full access to users’ Google accounts (which were used to register player accounts) through an OAuth connection. This permission, which most users granted without reading the registration screen or considering potential security implications, allowed the app to access to all of the information synced to a user’s account, including contact, calendar and files stored on the device.

While there is no evidence Google user accounts were breached, and the requested permissions were reduced in a subsequent update, current versions of the game continue to collect users’ location and personal account data.

Potentially more concerning, according to CloudLock, is the fact that a number of employees use their corporate log-in credentials to access their game accounts. CloudLock examined 900 corporate cloud environments and found the following potential vulnerabilities:

  • Of the 900 organizations examined, 44 percent had employees who granted access to Pokémon Go using corporate credentials.
  • On average, about 5.8 percent of an organization employees had Pokémon Go installed on devices accessing cloud environments.
  • If the user’s device is hacked, the use of corporate credentials may expose the organization’s network and data to unauthorized access and exploitation.
Bosses react to Pokémon

Bosses react to Pokémon

 

In addition, companies with global operations need to be aware of the fact that in nations where the game has not been released, a number of counterfeit versions of Pokémon Go have been uploaded to unofficial app stores. At least one of these counterfeit apps has been found to contain a remote access tool designed to harvest data from a compromised handset.

[Read more at financialexecutive.org]

Cloudlock’s report points out key takeaways for IT security teams:

Organizations need to develop a high-level strategy as well as a specific Application Use Policy to decide how to whitelist or ban applications, and share this vision with their end users. As the pace of disruption has increased exponentially, apps have a huge reach within corporate environments, and they spreading more and more quickly. Automating workflows (identifying, whitelisting, banning, and revoking apps in near real time), and taking action in real time have become more important than ever. A super admin account should never be used to grant access to a third-party app due to the possible enterprise-wide implications.

[Read Cloudlock’s full report on Pokémon Go here]