Skip to content ↓ | Skip to navigation ↓

There is a deeper, hidden world all around us, but most of the population remains oblivious to it. An alien technology called exotic matter has broken through a dimensional barrier and leaks into our world through millions of pinprick-sized holes. This exotic matter subtly influences human creativity. Centered around the locations where this matter flows freely through the dimensional portals, people – unaware of the subconscious influence of exotic matter – erect public displays of art and ingenuity.

But not all of us are oblivious to this influence. Humans have developed scanners based on recently discovered artifacts of alien technology, which allow us to see, interact with, and take control of these dimensional portals and their supply of exotic matter. Within the humans who use scanners, two factions have spontaneously formed:

  1. The Enlightened: who believe the alien tech and exotic matter can only help humanity and fully embrace its wide adoption; and
  2. The Resistance: who distrust exotic matter’s subtle influence and are not so eager to jump into technology whose ultimate purpose remains unknown.

For more than four years, a war for control of human consciousness has been raging between these factions, in city streets and on the tops of mountains; from deserts to oceans.

This is the somewhat paranoiac backstory of Niantic Labs’ flagship augmented reality game, Ingress. For the four years of Ingress’ existence, its developer pioneered many of the gameplay elements now well-known through the fantastically popular Pokemon Go. Bringing massively multiplayer gaming out of living rooms and cyber-cafes and into the wider world seems like a ridiculous undertaking.

After all, avid video game players are not well-known for their love of physical activity. And yet, just a couple of weeks into the launch of Pokemon Go, we’re seeing an explosion of people hitting the streets to collect and battle monsters.

Unfortunately, for all of the amazing gameplay tropes Ingress pioneered, augmented reality games have also brought with them a set of growing pains that all developers would be wise to acknowledge. Some of those pains are technical, and some are social in nature. However, they must all be addressed in some form, or the genre itself could suffer a form of crib death – backlash over these issues could prematurely kill these and other great games before the genre has a chance to mature.

Some of these, at the time I proposed my talk to the conference (BSidesLV), were purely hypothetical or limited to a relatively small audience of Ingress players. In fact, many of these problems have become a sort of open secret, widely discussed among avid Ingress players, but without any broader context to the augmented reality genre.

Now, we’ve seen some of the fruits of these growing pains put on full display in the past few weeks as players of Pokemon Go have been targeted for mugging, threatened or arrested for trespassing on private land. Alternately, players have propagated either distaste (from the likes of the national Holocaust museum) or a warm welcome (from the many retail businesses whose Ingress portals magically transformed into Pokemon hotspots, attracting massive customer response).

Insofar as Ingress is concerned, players report the existence of a massive problem involving the spoofing of GPS data on mobile devices. Part of the problem is technical – there is no way for an app running on a mobile device to authenticate that the GPS data provided by the operating system is legitimate. The other part is cultural, where players who engage in this kind of GPS-spoofed activity generate a lot of inter-faction hostility and outrage, which in turn perpetuates the problem.

Spoofed GPS data gives rise to other issues, as well, such as providing support to a gray market in “farmed” goods that allows people who knowingly violate the game’s terms of service to financially profit from that illicit activity, further eroding the good will of the player community and engendering hostility among players.

At BSides Las Vegas, I’ll be presenting some of my research conducted over the past year into these growing pains, while I’ve slowly advanced through the game myself. As a malware researcher with a focus on incident response, and endpoint and network forensics, I have at my disposal a lab full of equipment designed to perform Big Data Analytics on the network traffic generated by various kinds of malware.

For some time, I’ve devoted a part of my daily work to studying mobile platforms and how security issues on these devices intersect with more traditional desktop PCs. A study of Ingress and its network traffic seemed only natural. But the more involved I became with the game and its players, the more I began to see the beginnings of real problems develop.

I consider this talk a retrospective forensic analysis of augmented reality gaming’s benefits and shortcomings, using Ingress as a canonical (but not the only) example. I also want to make it clear that I do not point fingers at Niantic – the issues I am planning to discuss in this talk are more broadly applicable than to just this one developer’s games.

In some cases, an issue might be an augmented reality analog to a problem that has long plagued massively multiplayer games, but in others, the real-world aspect of the gameplay clearly has developed its own subset of challenges that game or app developers must address.

As analysts and security professionals, I am certain that there are others, like myself, who want to see Ingress grow and thrive as a gaming community. It has developed an amazing culture and it pains me to see players suffer and argue. I also know that in my own work, I routinely seek out ways to use metadata to seek out and define the characteristics of bad behavior by malicious actors.

I don’t see the problems in Ingress as all that different from the problems I tackle daily through malware behavioral analysis. The infosec community has a lot to offer pioneering companies like Niantic in developing new methodologies to discover and kick out the bad actors in augmented reality gaming.

After all, unless we can convince game developers to find ways to avert or manage these problems, we could all find ourselves taken over by alien influences without our knowledge. Then where would we be?


andrew brandtAbout the Author: Andrew Brandt, Blue Coat Systems’ Director of Threat Research, is a former investigative reporter turned network forensics investigator and malware analyst. At Blue Coat, Brandt uses his knowledge about the behavior of malicious software to profile identifiable characteristics of undesirable or criminal activity. His analysis techniques seek to determine general principles that can help analysts and defenders rapidly and comprehensively identify the root cause of infection and data loss, putting real-time network data analysis at the front line of prevention.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.