Press play to listen to this article

Western security advisers warn delegates at the COP27 climate summit not to download the Egyptian government’s official smartphone app, as they fear it could be used to hack into their private emails, text messages and even voice calls .

Policymakers from Germany, France and Canada were among those who downloaded the app by November 8, according to two different Western security officials informed of discussions within these delegations at the UN climate summit.

Other Western governments have advised officials not to download applications, another European government official said. All officials spoke on the condition of anonymity to discuss the government’s international deliberations.

A potential vulnerability in an Android application that has been downloaded thousands of times and is a wicket for participants on COP27has been separately validated by four cybersecurity experts who reviewed the digital app for POLITICO.

The app is promoted as a tool to help participants navigate the event. But he risks giving the Egyptian government permission to read users’ emails and messages. Even messages shared via encrypted services such as WhatsApp are vulnerable, according to a technical review of the app by POLITICO and two external experts.

The app also provides the Egyptian Ministry of Communications and Information Technology that created it with other so-called backdoor privileges, i.e. the ability to scan user devices.

World leaders including Egyptian President Abdel Fattah El-Sisi and UN Secretary General Antonio Guterres pose for a group photo at the Sharm el-Sheikh climate summit at the COP27 climate conference in Egypt | Sean Gallup / Getty Images

According to three experts and a separate POLITICO analysis, on Google’s Android smartphones, it can potentially eavesdrop on users’ conversations via the app, even when the device is in sleep mode. It can also track people’s locations using built-in GPS and Wi-Fi technologies in smartphones, according to two analysts.

The app is nothing but a “surveillance tool that Egyptian authorities can use to track activists, government delegates and anyone who participates in COP27,” said Marwa Fatafta, digital rights leader for the Middle East and North Africa at Access Now, an organization -profit. organization of digital rights.

“The application is a cyber weapon,” said one security expert who spoke on the condition of anonymity to protect his COP colleagues after reviewing it.

The Egyptian government did not respond to requests for comment. Google said it checked the app and found no violations of its app policies.

A potential security threat comes when thousands of high-ranking officials flock to Sharm El-Sheikh, an Egyptian resort where so-called QR codes or quasi-barcodes are scattered throughout the city that direct people to download smartphone apps.

Among the participants of COP27 are world leaders such as French President Emmanuel Macron, British Prime Minister Rishi Sunak and US Secretary of State Antony Blinken, although such famous politicians are unlikely to download another government’s application.

Experts who spoke to POLITICO said most of the data and access that the COP27 app gets is fairly standard. However, according to three of these specialists, the combination of the Egyptian government’s human rights record and the types of people who would download the app is cause for concern.

Weird and wide access

Three researchers said the app poses a surveillance threat to those downloading it, due to its extensive permissions to view human devices, although the extent of the risk remains unclear.

Elias Koivula, a researcher at WithSecure, a cybersecurity company, reviewed an Android app for POLITICO and said he found no evidence that anyone had read the emails. He added that many of the permits granted to the climate change conference app also have charitable purposes, such as keeping people informed of the latest summit travel information.

But Koivula said other permissions granted to the app seemed “strange” and could potentially be used to track people’s movements and communication. So far, he has said that there is no evidence that such activity took place.

Not all experts agreed on the risk.

Paul Shunk, a security intelligence engineer at cybersecurity company Lookout, said he found no evidence that the app had access to e-mail, describing the idea that it posed a surveillance threat as “strange”. He was convinced that the application was not built as typical spyware, pouring cold water on claims that the application was acting as a listening device. Shunk said it cannot record audio if it is running in the background, making it “almost completely unsuitable for spying on users.”

As Shunk said, the COP27 app uses location tracking “widely” but seemingly for legitimate purposes such as route planning for summit participants. He added that it lacked the ability to access locations in the background, based on Android permissions, which would be what the app would need to keep track of the location continuously.

The other two cybersecurity analysts who reviewed the app spoke on an anonymity basis to safeguard their ongoing security work and protect colleagues attending the climate change conference.

“Let me put it this way: I would not download this application to my phone,” said one of these experts. The two researchers also warned that once an app is downloaded to a device, it will be difficult, if not impossible, to deprive it of access to sensitive human data – even after deleting it.

POLITICO screened potential app security threats with two open cybersecurity tools, and both raised concerns about being able to listen to people’s conversations, track their location, and change the way the app works without asking for permission.

Both Google and Apple have approved the app to appear in their separate app stores. All analysts checked only the Android version of the application, not a separate application made for Apple devices. Apple declined to comment on a separate app created for its App Store.

Egyptian track record

The Egyptian government’s track record of monitoring its citizens is also worried about rights groups. In the wake of the so-called Arab Spring, Cairo curtailed dissidents and used local emergency laws to track its citizens’ online and offline activities, according to report by Privacy International, a non-profit organization.

As part of the smartphone app’s privacy notice, the Egyptian government says it has the right to use information provided by people who downloaded the app, including GPS location, camera access, photos, and Wi-Fi data.

“Our application reserves the right to access customer accounts for technical and administrative purposes and for security reasons,” says the privacy statement.

However, a technical review by both POLITICO and external COP27 smartphone app experts revealed further permits that people had unknowingly granted to the Egyptian government that had not been made public in its public statements.

These include an application that has the right to track what participants were doing in other applications on their phone; connecting users’ smartphones via Bluetooth to other equipment in a manner that could transfer data to government-owned devices; and independently connect individual phones to Wi-Fi networks or make calls on their behalf without their knowledge.

“The Egyptian government cannot be entrusted with managing people’s personal data, given its dismal human rights history and blatant disregard for privacy,” said Fatafta, an advocate for digital rights.

Red gradient pro

This article is part of POLITICO Pro

POLITICOPRO 01 1

A comprehensive solution for politicians that combines the depth of POLITICO journalism with the power of technology

Pro scoops white


Exclusive, groundbreaking measures and results

ProIntel


Customized policy analysis platform

Proconnect


High-level public affairs network

Problock1

pl_facebook_pixel_args = [];
pl_facebook_pixel_args.userAgent = navigator.userAgent;
pl_facebook_pixel_args.language = navigator.language;

if ( document.referrer.indexOf( document.domain ) < 0 ) {
pl_facebook_pixel_args.referrer = document.referrer;
}

!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window, document,'script',
'https://connect.facebook.net/en_US/fbevents.js');

fbq( 'consent', 'revoke' );
fbq( 'init', "394368290733607" );
fbq( 'track', 'PageView', pl_facebook_pixel_args );

if ( typeof window.__tcfapi !== 'undefined' ) {
window.__tcfapi( 'addEventListener', 2, function( tcData, listenerSuccess ) {
if ( listenerSuccess ) {
if ( tcData.eventStatus === 'useractioncomplete' || tcData.eventStatus === 'tcloaded' ) {

__tcfapi( 'getCustomVendorConsents', 2, function( vendorConsents, success ) {
if ( ! vendorConsents.hasOwnProperty( 'consentedPurposes' ) ) {
return;
}

const consents = vendorConsents.consentedPurposes.filter(
function( vendorConsents ) {
return 'Create a personalised ads profile' === vendorConsents.name;
}
);

if ( consents.length === 1 ) {
fbq( 'consent', 'grant' );
}
} );
}
}
});
}

#application #COP27 #summit #Egypt #cyber #weapon #experts #warn #POLITICO

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *