Kuwait Times

Colombia’s GPS-enabled panic buttons expose activists

-

It is supposed to help protect human-rights activists, labor organizers and journalist­s working in risky environmen­ts, but a GPSenabled “panic button” that Colombia’s government has issued to about 400 people could be exposing them to more peril. The pocket-sized devices are designed to notify authoritie­s in the event of an attack or attempted kidnapping. But the Associated Press, with an independen­t security audit, uncovered technical flaws that could let hostile parties disable them, eavesdrop on conversati­ons and track users’ movements.

There is no evidence the vulnerabil­ities have been exploited, but security experts are alarmed. “This is negligent in the extreme,” said Eva Galperin, director of cybersecur­ity at the nonprofit Electronic Frontier Foundation, calling the finding “a tremendous security failure.” Over the past four years, other “distress alarms” and smartphone apps have been deployed or tested around the world, with mixed results. When effective, they can be crucial lifelines against criminal gangs, paramilita­ry groups or the hostile security forces of repressive regimes.

Reason for panic

The panic button, or “boton de apoyo,” distribute­d by Colombia’s Office of National Protection is a keychain-style fob. Its Chinese manufactur­er markets it under the name EV-07 for tracking children, pets and the elderly. The device operates on a wireless network, has a built-in microphone and receiver and can be mapped remotely with geolocatio­n software. A button marked “SOS” calls for help when pressed.

But some features could be turned against the user, the security audit done for the AP by the Boston-based security firm Rapid7 found. The AP tested two devices issued in Colombia, while Rapid7 bought buttons directly from the manufactur­er. The most serious vulnerabil­ity lets anyone with the device’s phone number remotely disable it and surreptiti­ously take control. Simple text messages can reset it or activate the microphone remotely, turning it into a listening post, the audit found. Built-in GPS pinpoints the user’s location. Because the device can be remotely wiped, it can also be reconfigur­ed from afar, said Deral Heiland, the researcher with Rapid7 who performed the audit. Obtaining the Colombian device’s phone number is not easy, and the government said it alone knows to whom each device is assigned. But security experts said there are ways a sophistica­ted adversary could obtain the numbers, including fake cell tower technology that captures numbers and bribes to cell company or government employees.

Office of National Protection Director Diego Mora called the flaws identified in the AP audit overblown. He said activists given the device are at such low risk there would be little interest in eavesdropp­ing on them. “It’s a very, very basic protection measure for people whose risks aren’t very complex,” said Mora. “Supreme Court judges, ministers, prosecutor­s, they don’t have this device.” Recipients said the dangers they face should not be underestim­ated. Some have received death threats, been kidnapped or forced into exile. They complain that the body armor and cellphones assigned with panic buttons are inadequate. “What am I going to do with body armor riding the bus?” said Amalfi Rosales, a journalist from the northeaste­rn Guajira region whose exposes of corruption forced her to flee. “How does that protect me?”

Easy-to-find instructio­ns

Instructio­ns for resetting the Colombiais­sued panic button and activating its “silent phone” function were easy to find. They are spelled out in a user manual posted online by the manufactur­er, Eview Industrial Ltd. A company official, John Chung, acknowledg­ed that Rapid7 notified him of the flaws in December. In keeping with standard industry practice, Rapid7 waited at least two months before publicly disclosing the vulnerabil­ities to give the manufactur­er time to address them.

Chung told the AP that Eview was working to update the EV-07’s webserver software, where Rapid7 found flaws that could allow user and geolocatio­n data to be altered. The audit confirmed suspicions that arose after independen­t Colombian journalist Claudia Julieta Duque reported in August that the devices have built-in microphone­s. The government had not told recipients, and many stopped using the panic buttons.

“To me, it’s just a device to spy on you,” said Rocio Campos, an activist in the Magdalena River refinery city of Barrancabe­rmeja whose brother was disappeare­d in 1998 and who has been helping prosecutor­s search for unmarked graves. Mora denies that the devices can listen in on users. The device’s local provider, cellular carrier Comcel SA, “made the necessary modificati­ons so that one could not activate the microphone or know the device’s location without pressing the button,” he said. AP’s findings contradict that claim. —AP

 ??  ?? BOGOTA: In this photo, an Associated Press employee in Bogota, Colombia holds a GPSenabled panic button that Colombia’s government has issued to labor, community and human rights activists to use in risky environmen­ts. —AP
BOGOTA: In this photo, an Associated Press employee in Bogota, Colombia holds a GPSenabled panic button that Colombia’s government has issued to labor, community and human rights activists to use in risky environmen­ts. —AP

Newspapers in English

Newspapers from Kuwait