The Associated Press found that a "panic button" issued in Colombia to activists and journalists who work in risky areas has vulnerabilities that could let hostile parties disable the devices, eavesdrop on conversations and track users' movements. Here's a closer look:
MANUFACTURER: Eview Industrial Ltd. of Shenzhen, China, which specializes in GPS trackers for motor vehicles and personal use, makes the EV-07S. Listed at about $60, it can be monitored on a web-based map service. It is touted as an all-purpose tracker that can send an alert when a child or elderly relative takes a spill or strays from a particular area.
GOVERNMENT: The Colombian agency that distributed the devices, the National Protection Service (Unidad Nacional de Proteccion), protects some 6,500 people. In addition to activists and journalists, agency Director Diego Mora said some devices may be issued to demobilized rebels of the Revolutionary Armed Forces of Colombia, which is currently being dismantled after a peace deal.
VULNERABILITIES: The Boston-based security company Rapid7 examined the device at the AP's request. It found that the panic button has numerous technical flaws, including:
— It can be remotely reset and reconfigured via text message. Remarkably, these features are explained in a manual posted online by the manufacturer.
— Webserver and client software used to monitor the device lack the SSL, or Secure Socket Layer, technology that keeps web browser connections private.
— A hostile actor could manipulate, or "poison," geolocation data on the webserver, where a user's whereabouts are shown.
NOTIFICATION: A company official, John Chung, told the AP that Eview is updating the webserver software. He was not clear on exactly what vulnerabilities identified by Rapid7 are being addressed. Chung did not say in an email response to written questions whether the company had notified customers of the flaws.
PANIC BUTTONS GLOBALLY: Similar devices and applications have been tested or are in use around in the world, including in Russia, Mexico, Egypt, Brazil, Nigeria, Uganda, Burma, the Philippines and El Salvador. The devices are especially popular in India , where, after the rape and murder of a medical student in a bus in 2012, the government pushed for all cellphone providers to offer panic-button features.