Alert (TA16–192A)

Dan Hon
Dan Hon
Jul 19, 2016 · 2 min read

Pokemon Go (Niantic, The Pokemon Company) contains a live exploit of critical vulnerabilities in the baseline human brain architecture.

Systems affected

All baseline humans.


The recently released mobile augmented reality game Pokemon Go contains a live exploit of a critical vulnerability in the baseline human brain architecture. The game is available for iOS and Android mobile platforms and is in widespread usage in multiple territories. The vulnerability allows a remote attacker to influence the behavior of an affected individual


Pokemon Go exploits the following vulnerabilities:

  • CVE-BH-1987–1036: arbitrary creation of 1+ kinship groups leads to involuntary in/out group
  • CVE-BH-2013–1981: race condition in attention monitoring subsystem allows remote attacker to control recurring perceptional attention
  • CVE-BH-1976–3018: missing bounds check in confirmation heuristic allowing remote attacker to arbitrarily reinforce target preconceptions
  • CVE-BH-1993–7619: heap overflow in availabilty heuristic results in incorrect calculation of probability of future events allowing remote attacker to influence behavior
  • CVE-BH-2007–536: lack of bounds checking in external output leads to race condition in internal prioritization of agent goals
  • CVE-BH-2002–1034: undocumented bias in value accounting heuristic favoring small amounts
  • CVE-BH-1998–1099: unchecked exception in state model results in overestimation of target’s capacity to action in modeled subject


Estimated population impact: 7.3e9.

The large number of vulnerable humans across multiple localities and the severity of the vulnerabilities (remote code execution influencing short-to-medium-term behavior, root or SYSTEM privilege on influencing long-term goals) make this a very serious event.

All of these vulnerabilities require minimal user interaction or awareness and are dependent upon network effects.


There are no patches or hotfixes that have been shown effective against the above vulnerabilities.

US-CERT encourages users to delete the Pokemon Go application from mobile devices and to refrain from installing the application until patches or hotfixes to the baseline human brain architecture are available.


Dan Hon

Written by

Dan Hon

I come from the internet and I can type.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade