Scott Register, VP Product Management for Ixia looks at the potential risks that AR represents to organizations, and the steps organizations can take to mitigate it
Augmented reality (AR) is not new, but the explosive popularity of Pokémon GO has shown that the technology’s time has arrived, thanks to a combination of technology advances and cultural change. Mobile devices now have the processing power and connectivity to fully support AR, and we as individuals have accepted always-on, geo-located devices as part of daily life, despite their potential privacy risks.
But there is also a very real security risk to organizations that don’t prepare for the impact that AR will have on their networks and security, as more and more AR apps are introduced. Imagine, for example, an employee pointing their device at a printer in the office, to get a walkthrough of how to change the toner or clear a paper jam; or a maintenance engineer using a tablet to get information on repairing critical equipment at an electricity substation. Both of these are realistic uses of AR, and it’s easy to see the commercial potential.
It is also easy to see the inherent risks. The traffic that enables all this magic to happen is crossing your network, revealing details such as IP addresses, location, type of device, user permissions, and more. If a hacker intercepts that traffic – as they have already been able to with Pokémon GO traffic – what could it reveal about the user, and the network?
As such, it is no surprise that the US Pentagon and the Israeli Defence Force have banned their employees from playing Pokémon GO because of the potential impact of the app on their security postures. So what are the real risks of AR to organizations, and how can those risks be addressed?
What’s in the data?
To understand this, let’s examine the type of network traffic generated by an AR app, and see what information it reveals. Ixia’s Application and Threat Intelligence researchers recently analyzed communications between the Pokémon GO app and the servers of Niantic (the app’s developer), which highlighted some interesting security findings.
The Pokémon GO app – like many other AR apps – uses the device’s location data to deliver the appropriate information to users, according to their surroundings. It isn’t difficult to imagine a hacker combining that location data with other personal information (let’s not forget that the original Pokémon GO user agreement allowed Niantic to access user information including Google profiles, histories and past searches), to build up detailed, targeted pictures of users’ behaviour. That sort of data is valuable to a criminal.
Also, communication between the Pokémon GO app and its servers is done via HTTPS, but early versions of the app did not support certificate pinning, making it easy perform man-in-the-middle exploits to intercept data.
As such, it’s easy to see the types of user-specific data that AR apps reveal as part of their normal functions – and the possibilities this presents to hackers for snooping and data manipulation if the application’s security has any vulnerabilities. The key point is that the very nature of AR is that it is personalized to the individual user’s situation. It is an augmented version of their reality. And this means that it must access some personalized data – whether location, shopping history, financial details or something else entirely. Is that information you want to be transmitted out of your organization’s network?
Malware matters
Then there is the question of malware. Just four days after Pokémon GO launched, cybercriminals had created a fake version of the app, complete with embedded malware, which gives a handy model for criminals to apply to other new AR applications. The possibilities for malware in AR apps are almost endless: keyloggers that capture user credentials; a mobile remote access Trojan (mRAT) which could infect a device and stealthily intercept data and communications; or an agent that downloads further malware to the network via the device.
Who is in control?
It is vital, therefore, that organizations consider now how best to manage and enforce control of AR apps on their networks – to get ahead of the curve and put protective measures in place before the next AR craze.
Three important factors to consider are your mobile device management (MDM) solution, since AR apps like Pokémon GO are focused on the smartphone market. Employee training and awareness is also crucial, since human error and carelessness is often a key vulnerability for cybercriminals to target.
The third key factor in an AR risk mitigation strategy should be visibility of app traffic on your network. To protect against sensitive data being exposed, or malicious data being introduced, you need to ensure that you have comprehensive, real-time visibility into all your network traffic, all the time. A variety of tools and solutions exist that purport to offer such network visibility; what you are looking for is intelligent filtering and distribution, including across Layer 7 application flows and encrypted traffic, at line rate with zero loss of packets. Without this end-to-end visibility, augmented reality could all too easily mean augmented risk for your organization.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.