Colombia’s GPS-enabled panic buttons expose activists
It is supposed to help protect human-rights activists, labor organizers and journalists working in risky environments, but a GPSenabled “panic button” that Colombia’s government has issued to about 400 people could be exposing them to more peril. The pocket-sized devices are designed to notify authorities in the event of an attack or attempted kidnapping. But the Associated Press, with an independent security audit, uncovered technical flaws that could let hostile parties disable them, eavesdrop on conversations and track users’ movements.
There is no evidence the vulnerabilities have been exploited, but security experts are alarmed. “This is negligent in the extreme,” said Eva Galperin, director of cybersecurity at the nonprofit Electronic Frontier Foundation, calling the finding “a tremendous security failure.” Over the past four years, other “distress alarms” and smartphone apps have been deployed or tested around the world, with mixed results. When effective, they can be crucial lifelines against criminal gangs, paramilitary groups or the hostile security forces of repressive regimes.
Reason for panic
The panic button, or “boton de apoyo,” distributed by Colombia’s Office of National Protection is a keychain-style fob. Its Chinese manufacturer markets it under the name EV-07 for tracking children, pets and the elderly. The device operates on a wireless network, has a built-in microphone and receiver and can be mapped remotely with geolocation software. A button marked “SOS” calls for help when pressed.
But some features could be turned against the user, the security audit done for the AP by the Boston-based security firm Rapid7 found. The AP tested two devices issued in Colombia, while Rapid7 bought buttons directly from the manufacturer. The most serious vulnerability lets anyone with the device’s phone number remotely disable it and surreptitiously take control. Simple text messages can reset it or activate the microphone remotely, turning it into a listening post, the audit found. Built-in GPS pinpoints the user’s location. Because the device can be remotely wiped, it can also be reconfigured from afar, said Deral Heiland, the researcher with Rapid7 who performed the audit. Obtaining the Colombian device’s phone number is not easy, and the government said it alone knows to whom each device is assigned. But security experts said there are ways a sophisticated adversary could obtain the numbers, including fake cell tower technology that captures numbers and bribes to cell company or government employees.
Office of National Protection Director Diego Mora called the flaws identified in the AP audit overblown. He said activists given the device are at such low risk there would be little interest in eavesdropping on them. “It’s a very, very basic protection measure for people whose risks aren’t very complex,” said Mora. “Supreme Court judges, ministers, prosecutors, they don’t have this device.” Recipients said the dangers they face should not be underestimated. Some have received death threats, been kidnapped or forced into exile. They complain that the body armor and cellphones assigned with panic buttons are inadequate. “What am I going to do with body armor riding the bus?” said Amalfi Rosales, a journalist from the northeastern Guajira region whose exposes of corruption forced her to flee. “How does that protect me?”
Easy-to-find instructions
Instructions for resetting the Colombiaissued panic button and activating its “silent phone” function were easy to find. They are spelled out in a user manual posted online by the manufacturer, Eview Industrial Ltd. A company official, John Chung, acknowledged that Rapid7 notified him of the flaws in December. In keeping with standard industry practice, Rapid7 waited at least two months before publicly disclosing the vulnerabilities to give the manufacturer time to address them.
Chung told the AP that Eview was working to update the EV-07’s webserver software, where Rapid7 found flaws that could allow user and geolocation data to be altered. The audit confirmed suspicions that arose after independent Colombian journalist Claudia Julieta Duque reported in August that the devices have built-in microphones. The government had not told recipients, and many stopped using the panic buttons.
“To me, it’s just a device to spy on you,” said Rocio Campos, an activist in the Magdalena River refinery city of Barrancabermeja whose brother was disappeared in 1998 and who has been helping prosecutors search for unmarked graves. Mora denies that the devices can listen in on users. The device’s local provider, cellular carrier Comcel SA, “made the necessary modifications so that one could not activate the microphone or know the device’s location without pressing the button,” he said. AP’s findings contradict that claim. —AP