Ingress Egress: Emerging Threats in Augmented Reality Gaming

good evening we are at the last talk of the day this is breaking ground track and you are in Florentine a we would like to thank our sponsors supporters donors who have made this besides possible do go to a booth say them hello and thanks for making this wonderful convention possible next we have Andrew brand anti grandes director at threat research at blue coat systems and the topic which we are having is in grace egress the emerging threats posed by the augmented reality gaming for all the pokemon goo lovers this could be a interesting talk you guys hear me great all right give me one second because this thing crashed my graphics driver

come on PowerPoint all right

alright great so thanks very much for coming I major brand I'm the director of threat research at blue coat my normal day job involves me running a lot of malware in a lab in which I not only record the behavior of the malware but I'm also recording the the network traffic of the malware communicating with its command and control servers downloading payloads and to do that we have a bunch of appliances that the company makes and i just used those products in my research but I'm also a gamer and I found as I got a little older that playing twitch games on us on a screen actually started to give me migraines and make me feel sick and it

was a really depressing experience until I discovered augmented reality gaming and so I I got into this game called ingress in a pretty big way is this going to work right so in this talk I'm going to talk a little bit about the fundamentals of the game itself but I'm also going to talk about how I use some of the tools in my lab to decrypt and decode some of the communications in the game just to learn a little bit more about how that game worked now a lot of you know that niantic the company that makes pokemon go is the same company that makes ingress and egress in a lot of ways is both a precursor of an a

supporter of the Pokemon universe so there's a lot of cross-pollination involved in both games and it what I see here as being a number of different problems some of them have been addressed by niantic in Pokemon go but a lot of them persist especially those involving personal safety privacy and we're going to talk about all of those things but we're also going to talk about what nine Tech has done and and what I'd like to do because this is the breaking ground track and they're asking that this be a very interactive back and forth is I'm hoping that the audience will come forth with suggestions I know there's a number of ingress players who are here in the room as well as just

people are interested in privacy and security so I'm hoping that you'll have good suggestions at the end I have a lot of slides to get through so I'm just going to whip through it as quickly as possible alright so so what is ingress so ingress is this very interesting science fiction theme game with a very paranoid back story involving aliens making a kind of covert intrusion into this world from another dimension and as they're doing that that some of their technology is leaking into this dimension and only people with special things called scanners ie the ingress app are able to see this technology for what it is think of it as as they live for like the year

2016 you've got these goggles where you can see all kinds of stuff that isn't there that normal people can't see you can interact with these things and you use that to advance within the game attack other teams and just have a lot of fun out in the real world everything that happens in the game takes place in or around these things called portals portals are basically user-submitted physical locations in the real world they have to be human created things with some kind of artistic or creative or cultural social value that users have submitted to niantic and niantic has had a human basically approve these as being locations that can be portals and everything happens with these portals

the only way that you can interact with portals is to be standing 40 meters or less from the portal itself so a lot of the interaction within the game at least the legitimate interaction that's done by players who aren't cheating and doing other kinds of goofy stuff is to be walking around in the world going to these portals and interacting with them but that's not always the case so the correlation between Pokemon go and ingress is really really obvious to people who have been playing ingress even for a little while these are just two screenshots of on the left side are the the screen for a portal and on the right side or the screen for a pokey

stop or a gym and basically in smaller towns where there aren't a lot of places to play these things it is a pretty much a one-to-one correlation but in places like Las Vegas where there are absolutely tons of portals crowding the entire city what you see is that there's sort of a one out of every three or one out of every four portals has been removed for Pokemon go and is not a pokey stopper Jim just because the density is too high so the other thing that it's kind of key to understand in the in the background is just sort of how the how you play the game a little bit everything you do in

the game involves you using this stuff called exotic matter this is the stuff from the science-fiction universe that is leaking into our universe essentially its energy that you get by walking around in the world and it's in the game it's represented as these little like floating blobs that as you walk along they kind of get sucked into your players avatar in the game and when you have enough of this energy you can do things in the game the other thing about it that's kind of cool and appeals to me as a security guy is that your primary way of interacting with these portals is to hack them it is actually there is a button that says hack in the game and

that that hacking the portals is the primary way in which you gather gear and collect keys and do other things that involve gathering resources to do stuff with in the game now there's two scoring methods there's a personal scoring method for each individual player where they get points based on how far they walk how many portals they hack how many unique portals they hack or capture the length of links between them the fields the size of fields that they make out of linking triangles of these portals together are all contribute to an individual score but then there is a separate scoring two factions or teams within the game that is purely based on the area that is captured on the planet

Earth by your team so in the game for people who play the game there is this other sort of web resource that you can use on a laptop that's called the ingress Intel map and essentially it is google earth with a view into the ingress world and and what this is showing is kind of a really widely zoomed out world view of the biggest links and the biggest areas in which different teams have captured these colored areas are called fields and but if you zoom in the closer you get to any physical location you actually discover that you know such as like right here at the Tuscany there are six portals within reach and I

took the screenshot about an hour ago but I just killed this green portal that's here in the middle and turned turned it grey so so if you're playing in here and you won't you want to capture a free portal like just you know drop a couple resonators on it right now what's that exactly so if you didn't notice I'm actually wearing the key of the resistance faction that's the faction that I play for so just other elements that I wanted to just sort of mention in passing just because it's such a rich game and there's so many ways that you can play it there's a puzzle game within the game that called living where you instead of hacking you

hold down the hack button for a long time and you kind of draw little patterns on the screen it's it's a little bit of like a memorization game because it does these little symbols called the playoffs and you have to repeat them and you get more gear if you do them accurately and fast again there's these badges that you can get for different accomplishments within the game that's kind of two Hmong players and then every once in a while players will get together in cities in events organized by niantic called an anomaly for example the nearest next one is going to be in two weeks in Denver and what happens in those places is the the

company sets out certain portals as being critical capture points for one faction or the other to either hold or to take away from the other faction and the the winners of these anomalies actually decide key decision points within the fictional story line of the game and help drive the story in one way or another so the anomalies are actually pretty key to the to the sort of ongoing backstory that happens within the game and also just as another thing people who are at this event especially will really appreciate the fact that there are these things called pass codes which are ten character codes that when you enter them into your scanner app on your phone will give you extra gear and one

of the ways that people discover these pass codes well some of them are leaked by niantic and some of them are handed around by teams to their friends but what is actually very interesting is that the company puts out these videos and screenshots and other interesting art on their website and on their Google+ page and if you search through these images often in the metadata or sometimes just buried in the image almost as a steganographic exercise they will put these pass codes in there and there are teams of people who just do steganography and image analysis to find these things it is just kind of a cool side game there's just some screens from the game showing for instance the

Guardian badge which is one of the the rarest and most difficult gadgets to obtain because it involves maintaining control of a portal that you captured for a certain number of days and the highest level badge is 150 it's it is by far the hardest badge in the game to get and keep just because of the nature of the game alright so let's talk a little bit about the communications within ingress so there are basically there is this mechanism in ingress to send messages back and forth between players as well as the game itself will send game messages involving say like when someone person attacks an apple that's controlled by another person or the other faction that person will receive a

little alert message in their scanner app that says so-and-so is attacking this portal at dislocation and all of this stuff is basically broadcast to everybody who's within a certain geographic radius of the location where the event is happening and it has the game on or is looking at the Intel map so this chat window the one on the left is the one from the game and the one on the right is the one from Intel but essentially they are showing you the same thing which is little text messages that people are sending back and forth to each other or mostly actions that happen within the game that involved the changeover between one faction or attacks that are happening in real time

or captures and actually it's worth pointing out just to go back here this one on the left and I know it's hard to see this light room but there the text that's in white is a broadcast message that was sent out by a player who is advertising a black-market gear store so there are people who are playing this game gathering here specifically so they can sell it for real outside of nanotech purview to other players and we'll talk about that in a minute so to do the capturing that I did is really fairly rudimentary and it doesn't require all the gear that I have in my in my lab it was it just makes it

easier I have a wireless access point that I used to connect the phones that I'm using and them other mobile devices i'm using and i use them all the time to capture malicious traffic on infected android devices but i'm in this case i was using it to capture the traffic from my phone and other phones that i was using to play the game i'm using something that sniff that traffic and allows me to save it and manipulate in a lot of ways it's called security analytics and the box that's pictured here is called the ssl visibility appliance and it is essentially a stand-alone man-in-the-middle SSL decrypter box that is sold to corporations who want to use it for data

loss prevention or policy enforcement on their internal networks and i'm giving a talk about the ssl visibility appliance at DEFCON at the crypto and privacy village on Saturday morning if you want to hear more about that and that's all I'm going to say about it is that this is what I was using so and when you're when you're running SSL decryption in an Android device and you have to add the certificates the resigning certs into the device there are some persistent warnings that appear in the device i just thought i'd show these because it's worth noting that you can't just do this SSL decryption without the person who's being monitored knowing about it first of all you have to manually install

these certs which is an non trivial exercise to get them on the phone and install them and it secondly it then pops up these warning messages pretty persistently almost all the time in the notification bar and then when you hit the notification it pops up this bigger window that says you really could be being monitored right now by someone you don't know except you probably do know who it is all right so this is the UI from the SSL visibility appliance and it's just showing a log of the sessions that were decrypted during during a a bunch of communications you this one in particular of the startup of ingress and what it's showing you here is on the

left is a column of the IP addresses and the ports the then the names of the domain my name's we were doing the communication the cipher suite that was being used and then it says it was using the recent certificate decryption and most of them it says success but on the the second and last one it says alert bad record Mac and that just means that there was a mismatch in the mac address on that particular that particular session so when that when the app starts up the first thing it does because and again I don't know if you're aware of this but niantic is actually a spin-off of google at the time when ingress was

launched it was a part of google it was one of their divisions and now it is a separate company but they still hear a lot of the same ecosystem and the first and most important is that they are using Google OAuth you are taught your game account is tied to your Google address and your other Google information that's in that's on your phone and that this became you know pretty well known in the first week of Pokemon goes released because there was a big hoo-ha about the fact that Pokemon was basically getting all permissions to everything tied to your google account that has now been fixed but this is basically what is happening is that they

are just validating that your account is properly owned by you it's on a phone that you have used before for this account and they're just doing this check and you can actually see in the circled in red it says comp Niantic project in grass that's the name of the app the internal name of the APK in in android so the next thing it does and this is kind of interesting is it connects to it gets a positive connection from something called Google Cloud to device messaging now this is it's interesting because cloud-to-device messaging was actually discontinued last October by Google they actually put out a big notification that says we're stopping using this don't incorporate

this into any of your apps anymore we're going to shut the service down and yet c2dm is actually working and every time you start up ingress there is a little c2 TM session that goes back and forth we know for sure because the security Analytics was able to show us at once again comm Datuk project ingress was the source of that communication and that was what was being sent as an HTTP POST up to niantic alright should say up to Google so then once you've gone through the authentication process there's these there's an initial setup that happens in which the game receives a bunch of initial data just so that when the UI pops up it's populated with information

it it is first you send it up your latitude and longitude using the location services on the phone it queries the phone it says where are you it sends that back to niantic and niantic does some stuff on there and where they figure out within a certain radius 5 kilometers 10 kilometers however you've got it configured in the phone itself it will then stand back chat messages that have been sent within that radius as well as the event messages and that's what's in that's what's sent in this very first packet the back and forth is the geo tagging information about where you are and then all of the messaging stuff and stuff that would happen in the comms window

that you would see as soon as you started the app up the next thing that happens is that it is it then transmits to you a lot more of that chat messaging going back quite a ways for like the last two or three hours previously as well as pretty much all of the configuration information that is used to define for instance what are the various values that are used by the game to determine whether you're within a certain range or have a certain level of weapon to defeat a thing that is of this other level within the game all of that configuration data is sent every single time you start the game so there is this

this back and forth and hand off of the the rules of the game that are sent to the phone now it's an academic exercise to understand that if you are receiving all of this configuration information that decides how the game is going to work that why would someone not just interact interface with the network card between the game and niantic and just tweak those values a little bit for their own benefit oh and by the way it is worth mentioning that the two factions in the game one is called the resistance when is called the enlightened the resistance are the humans who believe that this alien technology thank you very that this alien technology is something

that is we should be a little wary of we don't understand the motives of these aliens maybe we should take a step back and not quite accept it so rapidly the enlightened are the team whose philosophy is we should embrace this they are just nothing but beneficial everything is good the the all this the benefits of this technology are good for everyone why not just embrace it right it is worth noting that in the internal messaging of the system the enlightened team is referred to as aliens so be warned you are working for the aliens so so the next thing that happens is that the Niantic app sends a little handshake that's called sup and when that comes

back here here is all of our configuration data that comes back to the device right so as I mentioned your gut you've got all the rules for what are the glyphs that can do things when you are trying to do glyph thing to make the glyphs happen faster give you more keys the action costs for different actions within the game the weapons radius for different weapons within the games the badge tears all of this stuff is transmitted every single time in the handshake it's not really clear to me why this isn't just hard coded into the app but I guess if they wanted to change the game on the fly they could literally just change some settings on the server

and then everyone's game would work in the different way but it just seems to me like it's just opportunity for for a lot of messing around so in addition to the app itself the app has several analytics tools that are built into it one of them is upstate API and up site API is a very common widely used completely legitimate Android app analytics company and niantic is using it for doing in-app purchases there are some things that you can buy for real money using your google account in the game that will help you you know accumulate more gear or do other things within the game that are fun nothing that gives you a huge advantage but some

stuff that gives you a little advantage and so they're using upside API to do all this payment management and and to control how that happens within the game when you first log in though up site sends a huge amount of data about your device itself the make model number the geolocation of it what mobile network it's on what version of Android it's running whether or not it's rooted what's the localization what language is it using how many days have you been active in the game have you if there been a gap of several days since you played it or have you played it in the last 24 hours and all of this stuff is sent to up site at the same time as

you're logging into the game and then there is a third or second analytics or a third set of information that's sent to a different company called criticism and that is also sending information about the version of the app the version of Android that you're running the name and the make and model of the phone that you're using the country code of the country to which your SIM card is tied and a bunch of other information including like the the build date of the app and its version and localization so so already you've got you know to third-party companies that are receiving an enormous amount of device data about the device that you're running the game

on then what happens is as you play the game there are all these api calls that happen and they again like most of the other ones that are happening throughout the game it's an HTTP POST up to niantic with some data and then a response back and they have names like this and they're involved in doing things like updating the inventory of your gear that you have updating the map that's shown on the screen updating the chat messages they're shown incomes and they're basically happening constantly and it's one of the reasons why when you run ingress for an extended period of time and if you know people who play ingress you always see them carrying these giant

ass external battery packs and giant like plugs and wires and things like this thank you very much we are all carrying these battery packs because all of this data and all of this using of the GPS constantly is just chewing through the power and our phones but we are pushing the envelope on what you can do with these things so it's kind of interesting to see it all happening the most interesting API call that I see is this one that's called get paginate elects and the pet pageant in Plexus is interesting it contains all of the rich juicy detail about everything that's happening by other people as well as yourself within the game it's all those text messages

that I mentioned earlier plus all the action messages but in addition to the texts and the actions and which is not displayed by the client itself in the UI but it's shown it's shown to the API but not displayed in the UI is things like unique user IDs for all the players unique IDs for all of the portals and locations in which you're playing as well as all of the geolocation data for all of these events that are happening whether they're done by you or by someone else so all of this information is constantly being fed to your phone and because you can receive it all and can man in the middle it you then have

access to a lot of shenanigans that you can do if you say collect it all we'll talk about that in a minute what else is interesting so there was this one session that we decrypted at the at the end the one that had the weird mac address problem and it was on this strange port 70 to 75 and I had to do a little research on this and I discovered that there is this tool called ULP user plain location protocol it's a protocol that is basically used by snaps that use GPS they go out and they receive telemetry about where in the sky are the satellites that are above you right now and it's a way to more quickly get your

GPS to sync and get the location faster and it was just interesting to see it's TLS over this weird port and if you if you look at the packet itself because it's not an HTTP packet and it's really hard to see because it's so tiny but like right up here it says degrees of latitude degrees of longitude it's very very precise satellite data with nine or ten degrees of accuracy so it's very very precise geolocation data plus all the error code values so that you can do the calculation get your your location down as precisely as possible it's also worth noting at this point that the oooff stuff that Pokemon go is doing is very similar to what we see but we're

also seeing we also see that they have made some improvements now one of the is I mentioned earlier one of the improvements that they've made is that they're they're doing a little bit less of the it's a little less obvious they're not using a user agent string that is directly connected to Pokemon go the user agent in in ingress as I mentioned is nemesis and they're using the the sort of standard dalvik user agent string that's used by apps that hook the network device you'll also see that there's no chat messaging but there's a lot of binary data that's being passed back and forth however the few things that they are doing that are similar is because they're using the

same location database and they've already built an infrastructure involving you you IDs for the locations the those hash values on the names of the locations as well as their pictures are being transmitted in the clear in this in this stuff but is essentially doing the same thing where it's doing this API HTTP POST stuff back to the server getting a response back it just doesn't have nearly as much data in it right oh and this is just the this is the Pokemon go a lot so if you if you didn't know this for people who are under 16 I think if your kid playing pokemon go you have to sign instead of having a google google account you have

to sign up through Nintendo has this thing called the Pokemon trainers club and so you have to create an account on Pokemon trainers club and then when you login instead of going through Google OAuth it goes through Nintendo's separate Olaf and then this is just the header stuff boy it's a really fuzzy picture I'm sorry is there any way you could focus the projector a little bit it's just really blurry but like yeah this is all the header data that shows they're sending things including it's really hard to see but birth date of the player in that OAuth session data so as well as there's actually parents email in there because you have to tie a

Pokemon go a kid's account to a parents account so it has uuid stuff and then there's something called date of consent and I didn't really understand what that was but in the kids account that I created I noticed that age of consent is actually 13 after birth date so apparently 13 is the age of consent as far as pokemons go is concerned that's okay all right so let's talk a little bit about what what you can do when you can scrape this data and you can suck it all down so there are some very clever people who have figured out all of this stuff that I've shown you so far and they have built data

collection systems that are using that they're using bogus accounts that are fake geo-located all over the world to collect all of these player action things from everywhere in the world simultaneously and they're databasing that stuff and they've been databasing it for years they're capturing decrypting and parsing all of this stuff and making it searchable with really nice UI there are at least three of these for each faction and it's been a kind of an open secret among the ingress community that this exists for some time because it does violate the the Niantic terms of service to be doing this but more importantly and the reason that i'm talking about it is that it opens up a

lot of opportunity for people to do some really bad things so so i just got back from the UK and one of the things i did of course i was playing ingress when i was there because it was exciting and one of the badges you can get is for capturing the portal that you've never captured before for the first time so i was trying to get all these uniques and i was very proud of the fact that when i went to North Wales I captured every World Heritage Site castle in North Wales that was that was my big victory and I was and I was so proud I took screenshots of it so it was Conway

caernarfon and beaumaris are the three world heritage sites and the coolest thing about winter capsule is it's known as the most haunted castle in England or in the UK so so I got the most haunted castle and the three World Heritage Sites but little did I know that while i was doing this one of these player trackers was monitoring mine and every other player in the world's use of the game and created this heat map that shows exactly where i was and how long i spent in using the game at these different locations in North Wales and when I saw this at scare the crap out of me because again it's only an academic exercise to understand

that what these player trackers are able to do is keep track of an enormous amount of location data let you view by time slice where that location data is and even further you can slice it down to morning afternoon evening like what is the propensity of a certain player to be in a certain place at between eight o'clock and ten o'clock in the morning well you might find the neighborhood where the person lives you might find where their office is where they frequent where they go shopping where they drop their kids off from school and then hack the portal at the church down the street there's a lot of ways that this can be abused so here's another

view of a different player tracker this this one shows some of the players that are that are located in northern Colorado where I live and it was used by the players in my faction to monitor players on our faction who we knew were doing bad stuff and so they're the ones that are in gray are real players and the ones their lips are the ones that are light-colored are real players and the ones that are highlighted in kind of this green gray shading are the players who are using what we think are spoof accounts or bot accounts to conduct themselves in ways that are not befitting a player who is responsible and respectable here's a different view

of a different player tracker showing the details of a particular spoofer who we know was doing some really bad stuff and again it's really hard to see but I'll just show you that it's it's got the the names the days owned and the date of each captured portal that this guy had under his control and there's a there's a little button here that says add to threat watch so that if there are players who are on this green faction who were causing problems for other people the members of the blue faction who run this particular tracker were able to put this person on a watch list so they could keep a closer eye on them

and collect more data about them and get alerts on when they were doing certain things and you know again it was it could lead to shenanigans so this is this is a yet a different player indexing service and this is data about my account it shows that my region is Utah for some reason it shows the region that I'm in as being the place where I hacked my very first portal which happens to be near Bluecoats offices in draper utah but that is not my physical location it's just went where I started the game it also shows that i started the game on july first 2015 at nine thirty four or 9 24 in the

evening while i was out for dinner with some of my co-workers and it has all of my badges and how long have been playing and what is the longest continuous number of days I've been playing how long is the the number of days that I've had my guardian for etc here's more details about my account and it actually shows so these are some of the portals in the UK that I visited while I was on my trip but then there's some of these ones that are from Colorado and then the one that is grayed out with the name bust is my guardian portal and it's hard to see but it says it's 262 days it

turns out that while I was in the UK I made the I made a grave error I I had met with a couple of people who are on my faction who I thought were friendly players and we had hung out and had a few beers and played a little bit and gotten together a few times and I told and the guy said like hey you know do you have a good good guardians you know there's a couple portals around here that had some good guardians and I sent the guy a screenshot that showed that my guardian list was up to over 250 days and within 48 hours of having that conversation my guardian got taken down

my guardian by the way is somewhere in Texas so whoever it was that that information got to used a system that was just like this used a bot to go to Texas and killed my guardian where they bought not cool of course I'd already gotten the badge so I didn't really care at that point it was just you know gravy exactly it was a pet so so these are the issues right so it allows people to to find track and observe the behavior of other people very very easily this is a tracking service that you are willingly carrying around with you in your pocket and feeding with data about where you like to go and it has been implicated in a number

of real player player negative interactions involving stalking and harassment in the real world so in the course of doing the research for this talk I put out a question answer thing on reddit as well as I kind of interviewed a bunch of players that I know and there have been experiences that I've had with other players in my community and other communities in which we know for a fact that there are players out there who are hostile aggressive and have followed people around found their houses and then deliberately done things to harass them as a way to make it make it harder for them to play the game or to drive them out of the game this is a problem that

is not going to go away unless we solve the problem of this scraping all right let's talk a little bit about what these BOTS can do so GPS spoofing and bots has been a problem within the game pretty much since it started as you can imagine we're in a game in which hacking is part of the sort of thematic storyline of the game it attracts a certain audience of people who are interested in exploration of the digital universe myself included but but not limited to me and people discovered fairly early on that there are these GPS spoofing apps that you could use for development purposes of course just to force your phone to say that it is in a different location and

then everything that kind of pulls that location data from the phone thinks it's in a different place and then it can you know it will let you do things like Google Maps of a different town without having to zoom in there what the guys who are doing this are doing it for is sort of two purposes but we'll get into those in a minute for definition of purposes spoo furs are just people using these tools to forge your GPS and make themselves appear to be in a different location bots are automated systems that are using spoofing to do actions automatically without human interaction in those spoofed locations so what are the things that is really important to

note is that spoofing is something that niantic is trying very very hard 24 and all of the common things if you just go and you look for GPS spoofing on google play market there are a bunch of apps in there none of them will work on ingress without getting you banned pretty quickly the the purpose of having all of these analytics communicating with the with the device is because they're looking specifically for these apps running in the background and the way that you hide these in the information about these apps from niantic itself one way to do it is to run this thing called the xposed framework so it sits on this website repoed exposed out info and it is it

comes as both an apk and a zip and it does have a kind of a high barrier to entry because you have to sideload it using an android desktop bus you have to adb flash it onto the device and so it is probably beyond the Ken of most mortal people who have android phones however I believe everyone in the room here is probably capable of doing it themselves and it is a very effective method of doing GPS spoofing so that you avoid getting banned and kicked out of the game and losing all the gear that you illicitly got so some of the things that the bots can do are basically everything that you can do within the

game so there they can hack org lift the portals they can retrieve keys and get gear they follow certain tracks you can record a GPS track and then have your BOTS follow that track almost like a like you're playing back a video they can attack enemy portals as they walk past them they can also just teleport jump from place to place in a ridiculously short amount of time amount of time that a human would notice very quickly is far too rapidly so for instance I flew between Denver and Las Vegas it's about a 90-minute flight and yet you know I could if I wanted to be in boulder where I live teleport back to Vegas do some stuff teleport off to some

other place and for the most part that kind of stuff doesn't get noticed when you when this xposed framework is kind of tied in these bots could do basically everything and what they are being used or is there using them for harvesting huge amounts of the highest level gear which is a mentally and physically taxing effort as you can imagine you don't just go to these portals and hack them one time if you want to farm gear say for an anomaly that's coming up you will often find that one faction or the other we'll get together they'll find a park that has five or six or ten portals that are really close to each other they

will then level those portals up so that they give the highest level of gear and then people will walk around and glyph them for hours and this is this takes a lot of work and takes a lot of effort and you have to be good at the glyph impose Alam which is not I can tell you from my own experience is not a trivial exercise it is something that takes a lot of work and yet these BOTS can basically glyph everything as fast as possible and the only way that you can the only consideration that you need to have when you're running one of these BOTS is that you got to dial it back a

little bit because the bot is so good it's going to attract notice and so a lot of these sliders that are in these bots are to control just how accurate like how often will it fail and how often will it will it meander off this GPS track and look like you're just kind of walking across the street instead of following a straight line and then digging a left turn making it a 45 degree turn and going across a field that normally is blocked off with a chain-link fence all of this stuff is basically just to make the bot work faster right and we have these infographics and again it's really hard to read but this is an infographic about

how i bought works and what these farm bots can do this was one that was produced by the people who I would play with specifically to to teach people about how these bots are doing farming and how you identify the farming bots as opposed to the bots that are being used to spoof and attack people so the the most popular one the one that everybody knows about again it's an open secret within the ingress community is the spot called Gannett it's $12 to use it for three months and it is shamelessly advertising itself as being V bot to do everything bad within the game now it's it's a very it's a very paranoid guy who's in Eastern Europe makes the bots

when you by it they make a build that is just for you and the bot itself does some command and control back to the guys web server so that he knows that your license key is only being used for your account and if he sees you using it for any other account or if he sees you using it in a way that he doesn't like he will just ban you forever from for life from ever being able to get his bod again and it calls itself internally bad logic now and this is just some internals of Guinness and showing you the UI and and then for example this is the the walk mode where you can you can either have

it walk in a straight line or walk and then loop back and this is the I've done a little bit of reversing of the app and it's showing some of the source code and this is just the drop-down of the code and that all of the code is pretty heavily off you skated with all this there's a lot of this sort of junk text it's all through all the variables and stuff it just makes it a little harder to read but for somebody who's an experienced reverser it's sort of rudimentary but you don't have to do good ass you can actually there are some commercial emulators out there that you can use to to get into these things one

of them is this one that's called the NOx a player and it's worth noting in the text at the bottom here it says location required by app the virtual location feature will pin you to wherever you want now this one I showed because they're actually advertising a particular build that you can get of this app that's called Pokemon go desktop and the idea was of it was you can play pokemon on your desktop without ever having to walk out into the real world well guess what it still works it was advertised as something that you could use during the beta and now it still works with the real Pokemon now and as far as i can tell i've been using

it for weeks and it hasn't gotten me banned so so it is still functional now there's another company that does a similar app called genymotion but you do need to use the xposed framework on these software android devices or else eventually you will get caught band and you'll lose all your lovely Pokemon and balls and everything else so this is just a screenshot showing a famous location in Boulder the dushanbe teahouse and you just use this little map window within the app to pin wherever you want the the game to say that you are and then all of a sudden within the game i'm standing at the dushanbe teahouse and I'm glyph in it and I'm doing all the

bad stuff that I want to do and and it also has these like helpful features for people who want to do this kind of hacking fake ime is you can create your own phone number and phone network that you're on all of it is basically just forgery that allows these apps to work again for development purposes haha not really but everything about this just really sucks and what this does is it feeds this market for black-market gear both factions are responsible for running these gannett spots they give out the gear in huge amounts to their buddies because it really is trivial for them to be able to collect massive amounts of gear but then they turn

around and sell it for dollars on the web and these guys are advertising this stuff on the chat window to all the players the one I like the most is this one here it says for 10 bucks will give you four keys to any one portal that you want anywhere in the world and to me that's amazing because you know if i wanted to i could pay this guy 10 bucks he sends his bot down to McMurdo Station in Antarctica where the two portals that are the rarest portals in the world are because only the 50 scientists that go to the South Pole and are there can hack those portals and this guy will give me

four of those keys for 10 bucks woohoo what an achievement I haven't actually been to McMurdo that sucks that ruins the game for everyone and and honestly that is that is exactly the problem with all of this stuff it violates the spirit and the letter of the rules and it just makes everyone in the game pissed off at each other both factions accuse the other side of cheating it's true both sides are cheating it's become an arms race and the problem is that it's not going to go away as long as the game allows it to happen so let's talk about how we address these problems because the real problem is that niantic is a

company with great intentions and it has to hit games on their hands but does not have more than 50 employees it is basically lost at trying to solve these problems they're overwhelmed by the amount of people who are playing pokemon go the the it you know when I pitched this talk to the conference it was all just a lot of these discussions about the problems that we're going to happen with our vented reality games we're hypothetical or there have been you know a couple of instances here and there of people you know falling off their bikes are getting into car crashes but it wasn't on the scale of today where the police departments in New York San

Francisco Los Angeles and Boston are sending out Pokemon go player tips like don't walk into really bad neighborhoods late at night all by yourself with your really expensive phone and big battery without hanging out you know you're going to get mugged you know and stuff like this what's all hypothetical two months ago now what's happening every day so we got to solve this so one of the biggest problems is this data scraping issue where that basically you're walking around with a GPS tracker in your pocket that shows everyone where you are all the time these are my suggestions we got to stop broadcasting the player data with the actions in the game so when it says Andy Brant hacked

portal X or aunty Brant attacked this portal and captured it from player why you should never have names associated with that it should just be portal X is under attack portal X has been captured by the other side that would eliminate all of this player tracking stuff in which this data is being sent out and people are scraping it and show it the heat map thing that shows where you are would be gone everything has to be encrypted right it is a watchword of all of what we do in infosec encrypt everything you possibly can now it's inside TLS and that's great because the transport layer is an important thing to encrypt but why is the data in plaintext

why is this all JSON inside in plain text inside of the TLS they learned this lesson with Pokemon go that's a good thing they need to then revert and put that stuff in to ingress it needs to be encrypting that data so that all that we're seeing across the wire is a big binary data blob that we cannot read and of course ingress and niantic needs to be monitoring the players and their activity a little more closely location service stuff is another issue right so when in all my malware research stuff I'm always looking for metadata attribute combinations that will lead me to find interesting traffic well here's a metadata attribute that I love check the

geoip of the IP address you're using and does that correlate to anywhere near or even in the same country as the the IP address the geolocation data that's coming from the GPS if you're if you're in the UK and your phone says you're in Texas but you're on a UK network connection something is wrong and the fact that niantic isn't seeing this is also wrong it has to be pointed out to them by the players that's the biggest problem is that there are communities of like-minded you know interested players who want to stop these guys but they have to report all of this stuff up to niantic niantic has the data all right and then player behavior right so one of

the biggest issues with Pokemon go has been that players are now showing up at you know austere locations like the National Holocaust Museum and veterans memorials and other plates graveyards and other places where you don't just go and set up a bunch of folding chairs and bust out the boombox and start having a party at two in the morning and capturing Pokemon we as ingress players need to bring them into the fold of what is the appropriate behavioral mores of using augmented reality and it is not making a goddamn nuisance of yourself and leaving trash and making it so that the ingress players as well as the Pokemon players are all demonized because we're nuisances do you have a

comment

so I don't know so so ingress that so the question was are you not limited to how many times you can spin a poky stop in six hours so in in Pokemon the way that you gather gears you go to these locations which are portals and some of them are going to be called pokey stops and when you go to them there's like a circular thing and you drag your finger across it and it spins and then little like stuff will fall out of it there is a delay so you can do it once and then you have to wait five minutes just like when you hack a portal you have to wait approximately five minutes for it to

cool down and then you can hack it again I don't know because I've actually not I have not done enough work on Pokemon go I've only been playing it for a couple of weeks does anyone know can you keep spinning it every five minutes forever

right right yeah so so that is a good point so so in ingress you can hack four times short of putting special gear on the portals to allow you to do it more you can hack something four times there's a five minute gap between each time and then the portal becomes burned out and you can't use it for about six hours so it forces people to move on but yes it is my understanding that you can't do this isn't the case in Pokemon go and yeah that's that's a problem like there needs to be poor you know pokey stop burnout so people will just leave one of the suggestions that a colleague of mine made was that maybe niantic

should create a very low cost but a paid private ingress universe which is parallel to the existing ingress universe for free users but where they have a payment method and a way of contacting you that ties you to a real person's information and if that account is found to be doing bad stuff with bots or spoofing or doing other goofy stuff that that account can be banned and that account can be banned permanently across anybody anybody's game that niantic is running in which they're using you know the same payment information so basically you banned the credit card that you're using to pay and then they can never log into any other niantic game with an account that

has tied to that credit card I mean that's one suggestion but I'd like to hear more and I don't know do we have a mic that we can pass around to people come on up and if you've got comments I'm here to hear your suggestions and i'll just type them in as you guys are talking about them so one of the ones it was suggested was the portal burnout on pokey stops are there any others yeah speak out so if you make a payment at somewhere in Vegas but then you make a payment somewhere somewhere in the UK you can't like they have they have some mechanism for knowing that you can't physically make that that distance in

the time so they could implement something like that in terms of their the user's interaction so it would it would stop BOTS from teleporting right well it's a it's an interesting suggestion so the one the one thing that that you should note is that the people who are using BOTS create they create completely separate accounts to play the game that are not tied to their their real ingress player account and they do that because they're afraid that at any time niantic could just kill that could kill that account and they lose everything that's in that account so they don't usually use those with any of the payment stuff but yes this does come down to you know is this person

habitually playing in the US and is this credit card habitually used in the u.s. like maybe they can do that but I don't know whether they have that payment card information yeah they might not they might not share it sorry goes well so I don't necessarily mean the credit card information but they have they have a mechanism of knowing that ok there's a transaction here right the cart the card companies have this mechanism for knowing where the card gets used but I don't know that they share that with the vendors or you who are using that sorry go ahead get in the back

we'll follow the money if you've got a bot account what is the bot generating you're not going to have a bot account without it generating some value to you and if it's generating a value all of the stuff you want to give away look at who it's giving it to right so one of the things that happens in the game is that there are these two items called capsules and capsules can hold 100 other items and the capsules when they're filled get a unique is it 10 or 12 carries the hexadecimal character code that uniquely identifies that capsule it should be rudimentary for ingress for it for niantic to be able to track player 1

created this value put it in a capsule dropped it on the ground player 2 came and picked up that capsule and benefited from it why are they not looking at that that is if that is also one of the very good questions and one of the one of the weak points in the game is that they're not looking at this interaction the way that those farm sites work where you buy the black market gear is they tell you you know you pay you pay for the gear and then they say let us know when you're going to be online and then you need to give us your very accurate gps information and then they do some tests

drops of gear they'll drop a low value item on the ground and if you see that appear on your scanner then they drop a capsule full of the stuff that you paid for on the ground there doing that with bots and the reason they need your location is because they need to type it into the bots little address bar and then it sends it just teleports to that location drops the gear and then logs out so again you know if you if you are able to track when capsule a goes to player from player one to play or two you know player 1 is the purveyor of this gear store and you lock them out of

the game or at least make it harder for them sorry the person who's behind you I to question um there may be a way to isolate assisted GPS from GPS data and correlate the two so if if say you're assisted GPS data say says you're somewhere in Las Vegas and your GPS data being spoofed suddenly says you're in you know somewhere in East Southeast Asia that would be a direct red flag so if there was some way of requiring the phone to have a true assisted GPS because if you're going to be connected to a cell tower you're going to be getting that data anyway yes so this is actually an interesting point and this

is one of the metadata attributes that the analytics tools within ingress or collecting they're collecting information about Wi-Fi access points that are in your area and they're using Google's ability to search for a location by network to correlate are you where the gps says you are do you see the Wi-Fi ApS that should be in the same location and it's why exposed works because exposed prevents the app from being able to see what are the nearby Wi-Fi access points so so they are doing that to a certain extent whether or not it's it's effective is another thing sorry person in green yes hi um I wanted to bring up the credit card verification and in thinking about a couple of points

I've experienced using credit card verification upping the ante so then you have to deal with fraudulent credit card numbers because you by using a credit card you're creating a situation where those who really want to do bad things will do it by also stealing credit cards just a factor and the other one being I was thinking about with credit card verification granted there's already the barrier of entry to having a handheld device but if we want more people to be able to put to play the game a credit card requires a level of privilege or financial in how old you are and all of those things that also make it more complicated so my challenge is and

generally for the internet how can we create a verification that isn't tied to credit cards which are kind of us-based not everywhere in the world and like all the other things I don't have any good answers but I would love that to be a thing those are those are really good suggestions and good questions and yeah i think you know as i do more research on this and I'm going to be presenting updates to this talk at other conferences I'll look into that and that's a very good suggestion thank you so it'll be taking the last question yeah so we're running out of time there's drinking to be done so last question and then you guys can all go

but I really but I want to say before I get this question I want to thank you all for sticking it out right to the end I really appreciate this is a topic that I'm very passionate about and I just appreciate the the attendance and information and the interest level from everyone who's here so thank you all right what's your question all right so um I think that the GPS data is a perfect candidate for applying machine learning to train a model to differentiate between real gps versus these spots that seems to be pretty rudimentary I don't think there's any advanced programming techniques or anything in them you may be right so machine learning is probably one of the

tools that they're they're trying to develop internally at niantic from my understanding it's very limited because I tried to reach out to niantic to tried to contact John Hanke their CEO several times in the weeks leading up to this and and they're just really busy with this other game that they're dealing with and all the issues so they didn't have time to talk to me but i'm hoping i get an opportunity to talk to them they've been receptive in the past to suggestions from the community and that's a good one so the question is is there any way for the app to detect whether it's running the xposed framework and no the answer is no because the xposed framework the

way you install it it installs as root and you have to install it using like a third party sorry yes you have to have a third-party bootloader right so so you flat you flash it if the lower level then the operating system and nothing on the operating system can see it unless it lets it so yeah it's it's tricky so I guess we're out of time so thank you so much but I'll be around here for questions afterwards and then by the way there's a researcher party that blue coat is throwing and if you're interested and you want to kind of come and have some drinks just follow me and I'm your ticket in so thank you thank

you Andrew it's been done