Pokemon Go – Recruiting & Training GPS Spoofers

July 14, 2016

“Wait, wait – you can make your phone think it is someplace it is not? What if you could mess with GPS and do that for other things like automobiles, airplanes, cargo trackers, ankle monitors, or oil tankers ?”

While the world’s militaries, intelligence services and criminal networks have been acting on this idea for a while, the Pokemon Company has brought it to everyday smartphone users.

“Motherboard” reports that, as soon as Pokemon Go was released, the geo-cheating began. Players who don’t want to bother actually going to the places required by the game simply “spoof” their phones’ locations and score points from the comfort of their own couch.

The immediate consequences of violating the game’s rules appear to be… you get more points much more easily. Though you do run the risk of being banned from the game at some point.

The longer term consequences for the rest of us could be much more serious.  Location deception is a huge and growing cyber problem (no one knows exactly how big since deceivers work hard to remain undetected).  This will make it worse.

Last year a Chinese presenter at Defcon showed how to build a GPS spoofer for less than $300. And apps to internally spoof a phone’s location have been around for years. To make any tool effective, though, people have to know it exists and be able to use it. Pokemon Go may inadvertently be the way GPS/location spoofing transitions from a niche criminal behavior to an everyday practice for much of the world’s technology users.

It was bound to happen  sooner or later.  The questions now are:

  • What do we do to guard against growing location fraud?  And
  • How can we re-establish location trust to ensure all the benefits it provides?

Special thanks to RNTF member Guy Buesnel from Spirent for calling our attention to this.  Check out his GNSS Vulnerabilities discussion group on Linkedin.