#Panic mode hacked update
In keeping with standard industry practice, Rapid7 waited at least two months before publicly disclosing the vulnerabilities to give the manufacturer time to address them.Ĭhung told the AP that Eview was working to update the EV-07's webserver software, where Rapid7 found flaws that could allow user and geolocation data to be altered.
#Panic mode hacked manual
They are spelled out in a user manual posted online by the manufacturer, Eview Industrial Ltd.Ī company official, John Chung, acknowledged that Rapid7 notified him of the flaws in December. Instructions for resetting the Colombia-issued panic button and activating its "silent phone" function were easy to find. "What am I going to do with body armor riding the bus?" said Amalfi Rosales, a journalist from the northeastern Guajira region whose exposes of corruption forced her to flee. They complain that the body armor and cellphones assigned with panic buttons are inadequate. Some have received death threats, been kidnapped or forced into exile. Recipients said the dangers they face should not be underestimated. "Supreme Court judges, ministers, prosecutors, they don't have this device."
"It's a very, very basic protection measure for people whose risks aren't very complex," said Mora. He said activists given the device are at such low risk there would be little interest in eavesdropping on them. Office of National Protection Director Diego Mora called the flaws identified in the AP audit overblown. Obtaining the Colombian device's phone number is not easy, and the government said it alone knows to whom each device is assigned.īut security experts said there are ways a sophisticated adversary could obtain the numbers, including fake cell tower technology that captures numbers and bribes to cell company or government employees. Built-in GPS pinpoints the user's location.īecause the device can be remotely wiped, it can also be reconfigured from afar, said Deral Heiland, the researcher with Rapid7 who performed the audit. Simple text messages can reset it or activate the microphone remotely, turning it into a listening post, the audit found. The most serious vulnerability lets anyone with the device's phone number remotely disable it and surreptitiously take control. The AP tested two devices issued in Colombia, while Rapid7 bought buttons directly from the manufacturer. A button marked "SOS" calls for help when pressed.īut some features could be turned against the user, the security audit done for the AP by the Boston-based security firm Rapid7 found. The device operates on a wireless network, has a built-in microphone and receiver and can be mapped remotely with geo-location software. Its Chinese manufacturer markets it under the name EV-07 for tracking children, pets and the elderly. The panic button, or "boton de apoyo," distributed by Colombia's Office of National Protection is a keychain-style fob. When effective, they can be crucial lifelines against criminal gangs, paramilitary groups or the hostile security forces of repressive regimes. Over the past four years, other "distress alarms" and smartphone apps have been deployed or tested around the world, with mixed results.
"This is negligent in the extreme," said Eva Galperin, director of cybersecurity at the nonprofit Electronic Frontier Foundation, calling the finding "a tremendous security failure." There is no evidence the vulnerabilities have been exploited, but security experts are alarmed.
But the Associated Press, with an independent security audit, uncovered technical flaws that could let hostile parties disable them, eavesdrop on conversations and track users' movements. The pocket-sized devices are designed to notify authorities in the event of an attack or attempted kidnapping.
0 kommentar(er)
