 |
| In this March 23, 2017, photo, Amalfi Rosales, a Colombian journalist whose exposes of corruption forced her to flee, holds a GPS-enabled "panic button" that Colombia's government has issued in Bogota. (AP Photo/Arturo Robles) |
It is supposed to help
protect human-rights activists, labor organizers and journalists working in
risky environments, but a GPS-enabled "panic button" that Colombia's
government has issued to about 400 people could be exposing them to more peril.
 |
| In this March 16, 2017 photo, an Associated Press employee in Bogota, Colombia holds a GPS-enabled "panic button" that Colombia's government has issued to labor, community and human rights activists in risky environments. With help from an independent security audit, The Associated Press determined that the palm-sized device designed to summon help in the event of an attack or attempted kidnapping has technical flaws that could let hostile parties disable it, eavesdrop on conversations and track users' movements. (AP Photo/Fernando Vergara) |
The
pocket-sized devices are designed to notify authorities in the event of an
attack or attempted kidnapping. But the Associated Press, with an independent
security audit, uncovered technical flaws that could let hostile parties
disable them, eavesdrop on conversations and track users' movements.
There
is no evidence the vulnerabilities have been exploited, but security experts
are alarmed.
"This
is negligent in the extreme," said Eva Galperin, director of cybersecurity
at the nonprofit Electronic Frontier Foundation, calling the finding "a
tremendous security failure."
Over
the past four years, other "distress alarms" and smartphone apps have
been deployed or tested around the world, with mixed results. When effective,
they can be crucial lifelines against criminal gangs, paramilitary groups or
the hostile security forces of repressive regimes.
REASON
FOR PANIC
The
panic button, or "boton de apoyo," distributed by Colombia's Office
of National Protection is a keychain-style fob. Its Chinese manufacturer
markets it under the name EV-07 for tracking children, pets and the elderly.
The device operates on a wireless network, has a built-in microphone and
receiver and can be mapped remotely with geo-location software. A button marked
"SOS" calls for help when pressed.
But
some features could be turned against the user, the security audit done for the
AP by the Boston-based security firm Rapid7 found. The AP tested two devices
issued in Colombia, while Rapid7 bought buttons directly from the manufacturer.
The
most serious vulnerability lets anyone with the device's phone number remotely
disable it and surreptitiously take control. Simple text messages can reset it
or activate the microphone remotely, turning it into a listening post, the
audit found. Built-in GPS pinpoints the user's location.
Because
the device can be remotely wiped, it can also be reconfigured from afar, said
Deral Heiland, the researcher with Rapid7 who performed the audit.
Obtaining
the Colombian device's phone number is not easy, and the government said it
alone knows to whom each device is assigned.
But
security experts said there are ways a sophisticated adversary could obtain the
numbers, including fake cell tower technology that captures numbers and bribes
to cell company or government employees.
Office
of National Protection Director Diego Mora called the flaws identified in the
AP audit overblown. He said activists given the device are at such low risk
there would be little interest in eavesdropping on them.
"It's
a very, very basic protection measure for people whose risks aren't very
complex," said Mora. "Supreme Court judges, ministers, prosecutors,
they don't have this device."
Recipients
said the dangers they face should not be underestimated. Some have received
death threats, been kidnapped or forced into exile. They complain that the body
armor and cellphones assigned with panic buttons are inadequate.
"What
am I going to do with body armor riding the bus?" said Amalfi Rosales, a
journalist from the northeastern Guajira region whose exposes of corruption
forced her to flee. "How does that protect me?"
EASY-TO-FIND
INSTRUCTIONS
Instructions
for resetting the Colombia-issued panic button and activating its "silent
phone" function were easy to find. They are spelled out in a user manual
posted online by the manufacturer, Eview Industrial Ltd.
A
company official, John Chung, acknowledged that Rapid7 notified him of the
flaws in December. In keeping with standard industry practice, Rapid7 waited at
least two months before publicly disclosing the vulnerabilities to give the
manufacturer time to address them.
Chung
told the AP that Eview was working to update the EV-07's webserver software,
where Rapid7 found flaws that could allow user and geolocation data to be
altered.
The
audit confirmed suspicions that arose after independent Colombian journalist
Claudia Julieta Duque reported in August that the devices have built-in
microphones. The government had not told recipients, and many stopped using the
panic buttons.
"To
me, it's just a device to spy on you," said Rocio Campos, an activist in
the Magdalena River refinery city of Barrancabermeja whose brother was
disappeared in 1998 and who has been helping prosecutors search for unmarked
graves.
Mora
denies that the devices can listen in on users. The device's local provider,
cellular carrier Comcel S.A., "made the necessary modifications so that
one could not activate the microphone or know the device's location without
pressing the button," he said.
AP's
findings contradict that claim.
A
HISTORY OF VIOLENCE
Activists
have good reason to be wary of public officials in Colombia, where murder rates
for land and labor activists are among the world's highest, and there is a
legacy of state-sponsored crime.
The
DAS domestic intelligence agency, which provided bodyguards and armored
vehicles to high-risk individuals prior to 2011, was disbanded after being
caught spying on judges, journalists and activists.
Five
former DAS officials have been prosecuted for allegedly subjecting Duque and
her daughter to psychological torture after she published articles implicating
agency officials in the 1999 assassination of Jaime Garzon, a much-loved
satirist.
Tanya
O'Carroll of Amnesty International, which has been developing a different kind
of "panic button" since 2014, said the Colombian model is
fundamentally flawed.
"In
many cases, the government is the adversary," she said. "How can
those people who are the exact adversary be the ones that are best placed to
respond?"
Mora
rejected any suggestion that his office, which offers protective services to
some 6,500 people, distributed panic buttons with the intent of spying on
activists.
"We're
at ease," he said. He was unable to cite an instance of a panic button
saving life or helping to extract someone from danger.
When
the "SOS" button is pressed, it notifies a 24/7 operations center at
the office's Bogota headquarters. Operators place a call to the user and, if
the person is in danger, notify police.
Campos
was not carrying a device in September when two men on a motorcycle tried to
topple her motorbike at a stoplight. One pulled a gun, and she sped away to a
nearby police post, bending forward to make a smaller target.
"No
one has time to activate any button much less wait to be called and asked,
'What happened?'" she said.
A
Colombian land-rights activist, Astrid Sabogal of Pereira, said she pressed the
button last year when she was out of town and men broke into their house and
stole documents in the presence of her 11-year-old son. The device did not
work. She was later assigned armed protection.
BUTTONED
UP
In
Mexico, the attorney general's office has issued more than 200 emergency alert
devices to journalists and rights activists since 2013. But there have been
multiple complaints.
One
is unreliability where cell service is poor. Others are more serious: Cases
have been documented of police failing to respond or answering but saying they
are unable to help.
O'Carroll
of Amnesty International said trials in 17 nations on three continents -
including the Philippines, El Salvador and Uganda - show it's best to alert
trusted parties - friends, family or colleagues. Those people then reach out to
trusted authorities.
Sweden-based
Civil Rights Defenders offers a €300 stand-alone panic button first deployed in
Russia's North Caucasus region in 2013 and now used by more than 70 people in
East Africa, Central Asia, the Balkans, Southeast Asia and Venezuela, said
Peter Ohlm, a protection officer at the nonprofit.
The
organization's Stockholm headquarters always gets notified, and social media is
typically leveraged to spread word fast when an activist is in trouble.
Amnesty's
app for Android phones is still in beta testing. It is activated with a
hardware trigger - multiple taps of the power button. But there have been too
many false alarms.
Norma
Trujillo is a reporter in Veracruz, one of Mexico's most dangerous states for
journalists. She was issued a panic button by the attorney general's office two
years ago. She does not believe it would help in an emergency, but she has no
plans to return the device, believing it puts the onus of protecting her on the
state.
"It raises one's
political cost," she said.
No comments:
Post a Comment