Truth about spying device found in Eskom CEO André de Ruyter’s car
The circuit board Eskom CEO André de Ruyter found under the driver’s seat of his Volvo was likely the panic button of a pre-fitted tracking system.
“Based off of the photos that you have sent us, our third-party supplier Tracker have informed us that this could be one of their older devices that were fitted to Volvos a few years ago,” a Volvo spokesperson told MyBroadband.
Volvo’s clarifying feedback comes after bold claims on Sunday that De Ruyter had stumbled on an “NSA-level” bug while cleaning his car.
This was based on a Sunday Times report citing a preliminary report from former police commissioner turned forensic investigator George Fivaz.
According to the paper, Fivaz claimed the circuit board was entirely beyond South Africa’s technical capabilities and was not available on the open market.
He reportedly said it was a covert device that could track locations, record audio, and transmit data back to a receiver, developed by a government-backed agency in an advanced country.
In the wake of the media storm around the initial reports about the alleged spying device, South Africa’s technical community pored over photos of the circuit board.
They were immediately sceptical about the claims that it was a clandestine device only within the capabilities of a spy agency with nation-state backing.
MyBroadband spoke to security researcher Daniel Cuthbert, who has experience with covert implants.
He is also a co-author of the OWASP Application Security Verification Standard and sits on the Blackhat review board.
Cuthbert immediately pointed out that the circuit board was silkscreened, complete with pin labels and what appeared to be model or serial numbers.
It also had a barcoded sticker with a serial number on it.
Had it been a covert implant, the device would typically have as few identifying markings as possible.
The microcontroller and other chips on the board were also cheap, off-the-shelf components, refuting the claim that South Africans could not have made it.
A MyBroadband reader identified one of the chips as an STMicroelectronics lower-power microcontroller available on Alibaba for between R1.80 and R55 — depending on the exchange rate and how many you buy.
After MyBroadband published an article with Cuthbert’s analysis, a hardware security researcher identified the second chip as a Texas Instruments CC1200/1201 transceiver.
Cuthbert noted that the device did not have an obvious GPS chip or GSM module, nor did it use a battery capable of powering communications electronics for any reasonable period.
This was a big red flag, Cuthbert explained, as pictures of the rear of circuit board showed it used a CR2032 lithium coin battery.
Such a low-power battery would drain very fast if used to drive a listening or tracking bug.
Cuthbert said he would expect an “NSA-level” tracking device to at least use a lithium polymer battery.
Taking all of the available evidence together, Cuthbert concluded that the device was not a tracking or listening device, and almost certainly not a covert implant.
Cuthbert still joked that the device looked like a gate or garage remote — and he wasn’t far off.
On Tuesday evening, a MyBroadband reader posted photos of the circuit board in his Volvo’s panic button.
MyBroadband contacted the reader, who said he drives a 2016 Volvo XC90 and explained that the carmaker had partnered with Tracker in South Africa some years ago.
He said the panic button is designed to send a wireless signal to the Tracker so thieves can’t simply trace a wire to locate where the unit is hidden in the car.
Tracker fits a vehicle tracking unit and panic button in every Volvo sold in the country. Motorists can then optionally add a Tracker subscription to their Volvo roadside assistance.
Tracker will also locate your car if it’s stolen without a subscription.
The partnership dates back to at least January 2014, when Tracker started fitting new Volvos with Skytrax units.
Conflicting feedback from the Fivazes
MyBroadband contacted George Fivaz Forensic & Risk for comment, where we spoke to Friedel Fivaz. He asked that we email our questions.
“We are still in the preliminary stage of our investigation and are not permitted to discuss any detail until our preliminary report is made available to our client,” Friedel Fivaz told MyBroadband.
“Once he receives the preliminary report (within the next 2–5 days), he will be in a position to arrange a press conference.”
This was a curious response from Fivaz, as Sunday Times reported that it had seen the preliminary report and had quoted from it.
“I am in no position to verify if or how Sunday Times came upon their so-called report,” Friedel Fivaz said.
“Our ethical rule is to report to our clients and not the media.”
This statement was also contradictory, as DefenceWeb reported on Monday that George Fivaz had provided them with on-the-record comment confirming the information the Sunday Times reported.
In addition, he claimed the device could “hack and remotely control” the electronics in De Ruyter’s Volvo.
George Fivaz reportedly said the investigation would still take several weeks due to the device’s “highly-specialised features”.
Eskom spokesperson Sikonathi Mantshantsha told MyBroadband that the power utility would not be adding any further comment on this matter.