Pokemon Go (Niantic, The Pokemon Company) contains a live exploit of critical vulnerabilities in the baseline human brain architecture.
All baseline humans.
The recently released mobile augmented reality game Pokemon Go contains a live exploit of a critical vulnerability in the baseline human brain architecture. The game is available for iOS and Android mobile platforms and is in widespread usage in multiple territories. The vulnerability allows a remote attacker to influence the behavior of an affected individual
Pokemon Go exploits the following vulnerabilities:
- CVE-BH-1987–1036: arbitrary creation of 1+ kinship groups leads to involuntary in/out group
- CVE-BH-2013–1981: race condition in attention monitoring subsystem allows remote attacker to control recurring perceptional attention
- CVE-BH-1976–3018: missing bounds check in confirmation heuristic allowing remote attacker to arbitrarily reinforce target preconceptions
- CVE-BH-1993–7619: heap overflow in availabilty heuristic results in incorrect calculation of probability of future events allowing remote attacker to influence behavior
- CVE-BH-2007–536: lack of bounds checking in external output leads to race condition in internal prioritization of agent goals
- CVE-BH-2002–1034: undocumented bias in value accounting heuristic favoring small amounts
- CVE-BH-1998–1099: unchecked exception in state model results in overestimation of target’s capacity to action in modeled subject
Estimated population impact: 7.3e9.
The large number of vulnerable humans across multiple localities and the severity of the vulnerabilities (remote code execution influencing short-to-medium-term behavior, root or SYSTEM privilege on influencing long-term goals) make this a very serious event.
All of these vulnerabilities require minimal user interaction or awareness and are dependent upon network effects.
There are no patches or hotfixes that have been shown effective against the above vulnerabilities.
US-CERT encourages users to delete the Pokemon Go application from mobile devices and to refrain from installing the application until patches or hotfixes to the baseline human brain architecture are available.