Egypt’s COP27 summit app is a cyberweapon, experts warn – POLITICO
Click play to listen to this article.
Western security advisers are warning delegates to the COP27 climate summit not to download the official smartphone app of host Egypt’s government, fearing it could be used to access their personal emails. to hack emails, texts and even voice conversations.
Policymakers in Germany, France and Canada were among those who downloaded the app by November 8, according to two separate Western security officials who summarized discussions among these delegations at the UN climate summit.
Other Western governments have advised officials not to download the app, another European government official said. All officials spoke on condition of anonymity to discuss the government’s international discussions.
A potential vulnerability in an Android app that has been downloaded thousands of times and is accessed by participants COP27:was independently verified by four cybersecurity experts who reviewed POLITICO’s digital app.
The app is promoted as a way to help attendees navigate the event. But it risks giving the Egyptian government permission to read users’ emails and messages. Even messages sent through encrypted services like WhatsApp are vulnerable, according to POLITICO’s technical review of the app and two outside experts.
The app also gives Egypt’s Ministry of Communications and Information Technology, which created it, other so-called backdoor privileges, or the ability to scan people’s devices.
On smartphones running Google’s Android software, it has permission to potentially listen in on users’ conversations through the app, even when the device is in sleep mode, according to a separate analysis by three experts and POLITICO. It can also track people’s locations using a smartphone’s built-in GPS and Wi-Fi technology, according to two of the analysts.
The app is nothing more than a “surveillance tool that could be used by the Egyptian authorities to track activists, government delegates and COP27 attendees,” said Marwa Fatafta, head of digital rights for the Middle East and North Africa at Access Now. for, a non-profit organization. digital rights organization.
“The app is a cyberweapon,” said one security expert after examining it, who spoke on condition of anonymity to protect colleagues attending the COP.
The Egyptian government did not respond to requests for comment. Google said it reviewed the app and found no violations of its app policies.
The potential security threat comes as thousands of dignitaries descend on Sharm El-Sheikh, an Egyptian resort town where so-called QR codes, or quasi-bar codes, directing people to download a smartphone app are dotted around the city. .
COP27 attendees include world leaders such as French President Emmanuel Macron, British Prime Minister Richie Sounak and US Secretary of State Anthony Blinken, although such senior politicians are unlikely to download another government’s app.
Experts who spoke to POLITICO said most of the data and access the COP27 app receives is fairly standard. But the combination of the Egyptian government’s human rights record and the types of people downloading the app are cause for concern, according to three of these experts.
Quaint and spacious entrance
Three of the researchers said the app poses a surveillance risk to those who download it because of widespread permissions to review people’s devices, though the extent of the risk remains unclear.
Elias Koivula, a researcher at WithSecure, a cybersecurity firm, reviewed POLITICO’s Android app and said he found no evidence that people’s emails were read. Many of the permissions granted to the climate change conference app also have benign purposes, such as keeping people up to date with the latest travel information around the summit, he added.
But Koivula said other permissions granted to the app seemed “strange” and could be used to track people’s movements and communications. So far, he said, he has no evidence that such activity has taken place.
Not all experts agreed on the risks.
Paul Schunk, a security intelligence engineer at cybersecurity firm Lookout, said he found no evidence that the app had access to email. to the emails, characterizing the idea that it posed a surveillance risk as “weird.” He was confident that the app was not created as a typical spyware, pouring cold water on claims that the app acts as a listening device. Shunk said it can’t record if it’s running in the background, making it “almost completely useless for spying on users.”
The COP27 app “uses location tracking extensively,” Schunk said, but seemingly for legitimate purposes, such as route planning for summit attendees. It lacked the ability to access location in the background based on Android permissions, which the app would need for continuous location tracking, he added.
Two other cybersecurity analysts who reviewed the app spoke on condition of anonymity to protect their ongoing security work and to protect colleagues attending the climate change conference.
“Let me put it this way. I wouldn’t download this app on my phone,” said one of those experts. These two researchers also warned that once an app is downloaded to a device, it will be difficult, if not impossible, to remove its ability to access people’s sensitive data, even after it is deleted.
POLITICO tested the app’s potential security risks with two open cybersecurity tools, and both raised concerns about the ability to eavesdrop on people’s conversations, track their location and subpoena the app’s operation without asking for permission.
Both Google and Apple have approved the app to appear in their respective app stores. All analysts reviewed only the Android version of the app, not the standalone app for Apple devices. Apple refused to comment on the separate application created for its App Store.
Adding to the concerns of human rights groups is the Egyptian government’s attempt to control its people. In the wake of the so-called Arab Spring, Cairo has cracked down on dissent and used local emergency rules to monitor its citizens’ online and offline activities. report By the non-profit organization Privacy International.
As part of the smartphone app’s privacy notice, the Egyptian government says it has the right to use information provided by those who download the app, including GPS location, camera access, photos and Wi-Fi details.
“Our app reserves the right to access customer accounts for technical and administrative purposes and for security reasons,” the privacy statement reads.
However, a technical review by both POLITICO and outside experts of the COP27 smartphone app found additional permissions that people inadvertently gave to the Egyptian government that were not disclosed through its public statements.
These included an app that has the right to track what attendees are doing in other apps on their phones; connecting users’ smartphones via Bluetooth to other hardware in ways that may result in data being offloaded to state-owned devices; and connecting individuals’ phones to Wi-Fi networks independently or making calls on their behalf without their knowledge.
“The Egyptian government cannot be trusted to manage people’s personal data, given its abysmal human rights record and blatant disregard for privacy,” said digital rights campaigner Fatafta.
This article is part of For a politician
A one-stop solution for political professionals that combines the depth of POLITICO journalism with the power of technology
Exclusive, breaking scoops and insights
A customized policy intelligence platform
A top level public relations network
#Egypts #COP27 #summit #app #cyberweapon #experts #warn #POLITICO