THREAT ANALYSIS AND SHARING WEBINAR SERIES
“Nothing is so permanent as a temporary government program.”– Milton Friedman
Fundación Karisma is a Colombian non-profit working to promote human rights in the digital space. They work on issues including security and privacy, social innovation, Internet governance, freedom of expression, and gender and social equality in relation to information and communication technologies.
Since the start of the COVID-19 pandemic, Karisma’s digital security “K+Lab” has conducted technical analysis of public health tools, apps, and websites launched by national and local government agencies in Colombia. As part of the MONITOR Threat Sharing and Analysis webinar series, Andrés Velásquez and Stéphane Labarthe introduced their recent research, sharing their methodology, findings, and future plans.
Highlights from the talk included:
Over the last four months, Fundación Karisma have analyzed multiple websites and apps including:
- CoronApp (https://coronaviruscolombia.gov.co/Covid19/aislamiento-saludable/coronapp.html)
- Medellin Me Cuida (https://www.medellin.gov.co/medellinmecuida)
- CaliValle Corona (https://app.vallecorona.com/)
- BOGOTÁCuidadora (https://bogota.gov.co/bogota-cuidadora/)
The K+Lab’s methodology combines legal analysis of publicly available information and technical analysis. Their research follows a “do it yourself” approach that uses free, Open Source software and non-intrusive methods. Their decision to use free software was based on the transparency and trust that Open Source tooling provides. It also makes the approach easily replicable at minimal cost.
It is crucial for researchers to conduct analysis in a safe and legal way. Karisma navigate local laws criminalizing exploitation of vulnerabilities by working with AccessNow to verify potential vulnerabilities they discover. They then send a private report to the relevant government agency pressing for the main vulnerabilities to be fixed by a set deadline on which the report will be published. This approach puts pressure on the government to act swiftly in resolving vulnerabilities.
As part of their technical analysis Karisma conducted static analysis of the websites and apps in question. For websites, they examined public information, domains and IP addresses, certificates, source code, and cookies. For apps, they investigated app store info, permissions, trackers, android manifest, and disassembled source code. Finally, they conducted dynamic analysis of traffic to identify further vulnerabilities and problems.
Karisma discovered vulnerabilities and privacy issues in all of the official apps and websites they analysed. These vulnerabilities and privacy issues included:
- Apps requesting excessive and intrusive permissions
- Apps secretly including software to trial bluetooth based contact tracing, in the absence of any government announcements on contact tracing
- Undisclosed close surveillance of users through intensive GPS reporting
- Multiple security flaws enabling attackers to locate and view the data of users and their household members
- Apps sharing data with advertising platforms
Karisma sent a private report to the relevant government agency in each case, often meeting with officials in person, two weeks before publishing their findings publicly. This collaborative approach focuses on engaging with and educating the relevant officials, while also pressuring the agency to act for fear of public reprisal. In order to do so, Karisma leverage trust relationships they have been building in the four years since K-Lab was established.
The impact of this approach and their recent analysis includes:
- Authentication results resolved in 2 apps (CoronApp, CaliValle) and 1 website (Medellin Me Cuida)
- HTTPS implemented in CoronaApp and being implemented in BOGOTÁCuidadora
- Data collection and permissions were limited in CoronApp
But significant privacy and digital security issues remain! Andres and Stéphane stressed that transparency is crucial in respect to these tools – citizens are placing unparalleled trust in their local and national governments by giving up their data in order to support the crisis response. As a result, governments have a responsibility to conduct effective quality assessments and research before deploying tools which gather sensitive personal data.