Official Beijing 2022 Olympics mobile app has security flaws, researchers say

BY Liza Lin | UPDATED JANUARY 18, 2022 8:19 AM EST

Mandatory software potentially exposes sensitive personal data, including health information, of athletes, officials and others, says Citizen Lab

A mandatory mobile app for all participants in next month’s Winter Olympics in Beijing contains security flaws that could allow a hacker to easily steal sensitive personal information, cybersecurity researchers in Canada warn.

The China-built app, My 2022, will be used to monitor participants’ health, as well as facilitate information sharing, leading up to and throughout the 2022 Games. Technicians from Citizen Lab, a research group on cybersecurity and human rights-focused censorship at the University of Toronto, said they found the app failed to authenticate the identity of some websites, leaving personal data transfers open to attackers.

In a report on Tuesday, Citizen Lab also said the app incorrectly encrypts sensitive metadata transmitted through the app’s messaging feature, meaning any eavesdropper operating a Wi-Fi hotspot could find out. who users communicate with and when.

The researcher discovered the vulnerabilities in the iOS version of the app after downloading it and creating an account, said Jeffrey Knockel, one of the report’s authors. They were unable to create an account on the Android version of the app, but found similar vulnerabilities while testing its publicly available features, he said.

Citizen Lab said the vulnerabilities were similar to those frequently found in other Chinese apps, leading it to believe they are more likely the result of the company’s lax enforcement of cybersecurity standards. China than an intentional government effort to steal data.

Apple and Google, the maker of Android, did not immediately respond to requests for comment. The Beijing Olympic Committee did not respond to a request for comment.

The Beijing 2022 Handbook for Athletes and Officials says My 2022 is intended to ensure the safety of all Games participants and “complies with international standards and Chinese law”.

This year’s Winter Olympics, which begin on February 4, have been one of the most politically charged in decades. Several Western countries, including the United States, Australia and the United Kingdom, have announced diplomatic boycotts of the games, citing widespread human rights abuses, including a campaign of forced assimilation against minority groups. Turkish Muslims in the northwestern region of China, Xinjiang.

Beijing has dismissed criticism from other governments of its human rights record, saying it amounts to interference in China’s internal affairs. China’s foreign ministry has protested what it says are attempts to politicize the Olympics.

Athletes, officials, media and other Games participants will all need to download My 2022 and use it to upload their travel plans, passport details and health information such as body temperature, respiratory symptoms and medication every day for two weeks before arriving. in China. Users are required to continue to use the app to upload information about their health status during the Games.

Other features of the app, built by a state-owned investment and fintech firm, include instant messaging, translation services, and transportation and competition information.

With Covid-19, cybersecurity topped the list of concerns for countries participating in the Games. American athletes have been advised by the US Olympic Committee to leave personal cell phones at home and bring disposable or “burner” phones to China instead to prevent technological surveillance. Officials from Canada, the Netherlands and Great Britain have offered similar advice to their own athletes.

Citizen Lab researchers said in Tuesday’s report that My 2022 failed to validate SSL certificates, which are used to authenticate a website’s identity and ensure a secure connection. The flaw means the app could be tricked into connecting to a fake website designed to steal sensitive user data, Knockel said in an interview.

Researchers found that the app’s messaging feature transmitted some key data without any encryption or security. Metadata, including the names of message senders and recipients and their user account IDs, can be read by any passive eavesdropper operating a Wi-Fi hotspot, or an Internet service provider or security company. telecommunications, they said.

Although they described the My 2022 vulnerabilities as concerning, the researchers said they weren’t particularly surprised because such flaws were often seen in apps developed by Chinese companies.

“While we found glaring and easily detectable security issues with the way My 2022 performed encryption, we also observed similar issues in Zoom developed in China, as well as in most popular Chinese web browsers,” says the report, citing China’s informal regulation. collection of personal data before the recent adoption of strict data protection laws.

The Canadian research group also said it found a list of around 2,400 keywords considered politically sensitive buried in the Android version of the app. The researchers said the list appeared to be inactive, but said it could be used to censor communication on the app.

Most of the words on the list were written in simplified Chinese characters, with a small number of terms appearing in Tibetan, Uyghur, traditional Chinese and English, they said. Among the terms on the list were references to the 1989 crackdown on democracy protests in Tiananmen Square, the banned religious group Falun Gong and the name of Chinese President Xi Jinping.

To subscribe to Mint Bulletins

* Enter a valid email address

* Thank you for subscribing to our newsletter.

Never miss a story! Stay connected and informed with Mint. Download our app now!!

Comments are closed.