Could Pokemon Go cheaters threaten your cybersecurity?
Some say the rise in “location-spoofing” could lead to more GPS attacks on cell towers, drones and more.
It’s not enough to play the game. Some fans of Pokemon Go are cheating their way to success.
Though some players report trying ceiling fans, record players or drones to simulate walking, the most popular cheat talked about online appears to be location-spoofing—fooling the app into thinking you’re in a busy city with many Golbats and Pinsirs ready to catch, when you’re actually on your couch at home.
“I’ve moved all over the globe to most popular cities and honestly NYC is F’in STACKED with everything… no need to move elsewhere because there ARE rare pokemon in NYC,” says one location faker. “Just stay in NYC guys… seriously… central park is a gold mine.”
Other players may cry fair or foul, but there is a much bigger concern emerging among some in the technology security world—will this wave of geo-cheating breed a new group of GPS spoofers ready to try out their skills on criminal ventures or crucial infrastructure?
“The longer term consequences for the rest of us could be much more serious,” said Dana Goward, president of the Resilient Navigation and Timing Foundation in Washington, D.C. in a post. “Location deception is a huge and growing cyber problem (no one knows exactly how big since deceivers work hard to remain undetected). This will make it worse.”
In Pokemon Go, the more you move, the more opportunities you get to catch the pocket monsters. Some players say they want to try location-faking because they are disabled
Others say there are fewer Pokemon in rural areas, so they “teleport” to bigger cities to chase them down.
“…Some of us live in the middle of nowhere, while people in their flats in NYC can just watch Netflix and farm poke balls,” writes one geo-bluffer. “I know this because Pokemon Go now thinks I live in one of those flats.”
And some cite “desperation” as the reason for their cheating.
“Dude, I havent found a single pokestop or gym, I drove 400 km a few days ago, there wasnt a single one,” said a player online. “Now im running out of pokeballs, and I’m not looking to pay because im mainly broke as hell. Call it sad or pathetic or whatever, but in reality its only desperation that drives people to do this.”
But the basic message relayed online—to the disgust of more virtuous players— is, “I will do whatever I can to catch more monsters, even if it breaks the rules.” The cheaters say that Pokemon Go bans players who spoof their GPS, but call them “soft bans” that usually only last a few hours.
“The whole concept of this game is to get people walk around and catch Pokemon. Someone sitting at home and playing all day traveling the world and claiming gyms gives that person a huge advantage and cheating, regardless of whether or not you can physically play,” wrote one player in response.
A step further?
If you’re willing to use location-spoofing to cheat at Pokemon Go, would you do the same at work, or worse, to the machines that move your world?
“There will be some number of people that will eventually use that capability for their own purposes, most of which are nefarious,” Goward told Archer News.
Drug traffickers have been spoofing government drones at the U.S.’s southern border, reported Defense One. Game location-spoofers turned curious criminals might try something similar, said Goward.
“Since a private citizen now can, for $300, build and operate their own GPS spoofing device, I think they could do so and start diverting drones of all kinds. Recreational drones, ones that start delivering Amazon packages,” he said. “Any number of drone vehicles or aircraft and diverting them for their own purposes.”
“You could do a number of things to damage automated systems that rely on GPS,” he added.
Spoofing at work
Taxi drivers in Australia were caught spoofing their locations so they didn’t have to wait in line for the next fare at the airport and could instead roam around picking up passengers, he said. That would be unfair for the cab drivers who did wait their turn as required. Some Uber drivers did the same at the San Francisco airport, reported KPIX.
Messing with GPS can be more than unfair, however. It can also be dangerous.
The FCC fined a New Jersey man more than $30,000 for using a GPS jammer in a company vehicle to keep his boss from tracking him in 2012. The man accidentally killed GPS signals used by an experimental landing system at the Newark Liberty Airport.
Using a GPS jammer is illegal in the U.S.
“They may also disrupt critical emergency communications between first responders, such as public safety, law enforcement, emergency medical, and emergency response personnel,” the FCC said in a public announcement. “Similarly, jammers can endanger life and property by preventing individuals from making 9-1-1 or other emergency calls or disrupting communications essential to aviation and marine safety.”
Crooks are already putting GPS attacks to work, and location spoofing makes their job easier, according to Goward. From outwitting law enforcement ankle bracelets to stealing cars, location is key.
High-end cargo, like expensive cars, jewelry or pharmaceuticals, often has a GPS tracker. Criminal groups will jam the tracker and steal the cargo, giving them about 30 minutes or so before the alarm bells sound, he said.
But spoofing the GPS could make the owners or shippers think the car or shipment is in still on the right route when it is not.
“Then instead of a half-an-hour grace period where you get to have the cargo without anybody knowing it’s gone, you get five or six hours, or maybe a couple of days,” Goward explained. “Say it’s on a cross-country truck or something. You could make it believe that it’s continuing across the country for days, and no one would be the wiser.”
The biggest concern may be about critical systems that depend on GPS to run, from the lights in your house to your cell phone to ships on the sea.
“IT networks, cell towers and networks, the electricity grid,” said Goward. “Financial transactions, transportation of all kinds rely on GPS. The first thing that happens when GPS fails in an area is that transportation of all kinds slows down right away, becomes much more dangerous, slower and can carry less capacity.”
Cell service could fail, Wall Street could grind to a halt. Ships and planes could be hijacked from the ground, according to a report in Security Affairs.
“Trying to think of something that doesn’t rely on time or location of both from GPS,” Goward added. “It’s difficult to think of something that is not impacted by this silent utility.”
The Department of Homeland Security said in a recently unclassified report that GPS jamming is a more likely attack because GPS spoofing is harder to do, but that a spoofing attack would have more serious consequences. The report concluded “the widespread and growing use of GPS, coupled with threat actors possessing technologies that can disrupt GPS now and in the future, pose a long term threat that cannot be ignored.”
It’s protected, right?
Pokemon Go may open people’s eyes to the world of GPS spoofing, Goward said.
“Well, if I can do it with this, how can I do it with other things and what can that be?” he said.
“Malicious actors in terms of intelligence services in different countries, military folks in different countries, terrorist organizations and criminal networks have all thought that and taken steps to deceive and provide sometimes hazardously misleading information to GPS receivers,” he added. “It really hasn’t been the kind of thing that’s been acknowledged or appreciated by the general public.”
However, the systems are not defended enough to keep bad people out, according to Goward.
“I think my message to people who make policy, both in industry and in the government, is that this location information is way more important than you have given it credit for. And it underpins so many different things. And you really haven’t taken steps to protect it,” he said.
Fortifying devices and receivers so that they are not vulnerable to GPS spoofing would help, Goward said. His group, the Resilient Navigation and Timing Foundation, is also promoting the use of eLORAN, a system that would provide location information in tandem with GPS, allowing monitors to see if GPS is being spoofed.
Will Pokemon Go turn people into criminals? Not likely. But, Goward worries, some who are already willing to break the rules may now have new inspiration and new insight into a way to mess with systems far beyond just a popular video game.
“It’s just another example of the cat getting out of the bag,” he said. “Hopefully, folks will be able to take some mitigation measures before something unfortunate [happens].”
For some Pokemon Go players, finding ways to game the game is educational—like taking something apart to see how it works—as long as you use it to explore, not exploit.
“Figuring how a bank works is great, using that knowledge to steal money is not,” wrote one user. “Figuring out how to location spoof in Pokemon Go is great, using that knowledge to gain an advantage in the game is not.”
Beyond the game, the education factor could work both ways. Some may hone their GEO-cheating skills to attack the GPS that runs our world, while others may explore better ways to defend it.