Security experts have warned of a ‘devastating’ security flaw and potential for surveillance
British athletes have been offered temporary phones and their Team USA rivals have reportedly been told to use burner devices ahead of the Beijing Olympics, acting after investigations suggested the mandated Games app is not safe.
All attendees of the Games, which take place from February 4-20 2022, are required to submit their health status to the app, which internet experts say is at serious risk of data breaches and may have a list of censored terms including references to Chinese people, Muslims, Jews and the host nation’s president, Xi Jinping.
Encryption of users’ voice audio and file transfers can be “trivially sidestepped” by hackers because of a “devastating flaw” in the app, according to the damning findings of a report by cybersecurity group Citizenlab.
The group said that there are scenarios in which the app will disclose personal information without user consent, including national security matters, public health incidents and criminal investigations – and its privacy policy is said not to specify whether such incidents would require a court order and who the information might be given to.
The MY2022 app, designed to monitor the spread of Covid, is mandatory for athletes, journalists and other attendees of the Games in China’s capital pic.twitter.com/3NAiROb1sm
— Telegraph World News (@TelegraphWorld) January 18, 2022
(2/5) The researchers discovered a list of terms in Chinese, Tibetan and in Uyghur in the #My2022 app. They find “Holy quran, Dalai Lama or Tiananmen 1989” The list is not activated. But what is it doing on a mobile phone of many thousands of international athletes and officials?
— Oliver Linow (@OliverLinow) January 18, 2022
The Dutch Olympic Committee*Dutch Sports Federation has gone a step further than its British and American counterparts by reportedly telling athletes not to take personal phones or laptops to the Games because of the risk of surveillance of electronic equipment by China.
Dutch athletes and staff will be handed phones and laptops which will be destroyed when they return home, said De Volkskrant via the Guardian.
The app, MY2022, has a wide range of uses include Covid vaccination status and coronavirus lab test result logging, with foreigners required to input details such as their passport information and medical history.
The Chinese government has said it was built by the Organizing Committee for the Games, and Citizenlab claimed it could violate Apple and Google terms because it is “wholly insufficient to prevent sensitive data from being disclosed to unauthorized third parties.”
Investigators said the app could even constitute a “direct violation of China’s privacy laws.”
@citizenlab’s Jeffrey Knockel says he found the vulnerability not only regarding health data, but also with other important services in the app. This includes the app service that processes all file attachments as well as transmitted voice audio.
— William Yang (@WilliamYang120) January 18, 2022
The expert says he also discovered that for some services, data traffic in the app is not encrypted at all. This means that the metadata of the app’s own chat service can easily be read by hackers.
— William Yang (@WilliamYang120) January 18, 2022
In the Android version of the app, the report found a list of 2,442 politically-sensitive words in China in a file called ‘illegalwords.txt’.
No functionality was found to allow censorship to be performed by the keywords and terms, which are said to have included ‘Jews are pigs’, ‘Chinese are all dogs’, Xi’s name and the Tibetan for ‘His Holiness Dalai Lama’
Several terms associated with the Uyghurs – the Muslim group that China is accused of persecuting – were identified, including ‘The Holy Quran’.
Numerous countries are performing a diplomatic boycott of the Games, largely due to the alleged human rights crimes being carried out against Uyghurs.
US president Joe Biden’s administration, Boris Johnson’s British government and Canada and Australia are among the nations to have joined the protest.
Citizenlab said the widespread lack of security in the app was more likely to be a result of “differing priorities” for Chinese software developers than a “vast government conspiracy”.
“The knee-jerk reactions against Chinese apps and suspicions of their censorship and surveillance capacities are to a large extent warranted,” they said.
“There exists extensive documentation of security flaws, privacy violations and information controls on apps operated in China and internationally-facing apps developed by Chinese companies.
“It is worth noting, however, that the Chinese government has taken significant steps to rein in companies’ invasive collections and poor handling of personal information, largely following global approaches to personal data protection.”
The report added that they had told the Organizing Comittee of the security issues on December 3 2021 and given them 45 days to fix the issues before the findings were made public.
Leaders are said not to have responded by January 18, with the app vendors also said to have been informed before a new version of the app, released on January 17, reportedly failing to address the flaws.
Citizen Lab notified the Chinese Olympic organising committee of the issues in early December, giving them 15 days to respond and 45 days to fix the problem, but has so far received no reply pic.twitter.com/KuZ97wmeWy
— Telegraph World News (@TelegraphWorld) January 18, 2022
Health customs forms which transmit passport details, demographic information, and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users.
— Citizen Lab (@citizenlab) January 18, 2022
American athletes have been told to take disposable phones – known as burner devices – to prevent potential surveillance, according to the Wall Street Journal via Cnet.
Team USA and the International Olympic Committee (IOC) are said not to have immediately responded to a request for comment from the outlet.
A British Olympic Association spokesperson told the Guardian: “We’ve given athletes and staff practical advice so that they can make their own choice as to whether they take their personal devices to the Games or not.
“Where they do not want to take their own equipment, we have provisioned temporary devices for them to use.”
If you go to Apple store and try to download China’s official Winter Olympics app My 2022, Apple would tell you that “the developer does not collect any data from this app”. But if you read the detail, it says that this was “indicated” by the developer and not verified by Apple. pic.twitter.com/LOG11hjCXe
— Wenhao (@ThisIsWenhao) January 18, 2022
“The IOC also defended the app by saying it received approval from the Google Play store and the App Store.”It is deeply misleading to say that being on either the Google or Apple store constitutes a security endorsement by either company.#Apple#Google
— Robert Potter (@rpotter_9) January 18, 2022
The IOC said that the app would support the ‘closed loop’ environment at the Games designed to keep participants and Chinese residents safe.
“The user is in control over what the ‘My2022’ app can access on their device,” it told Zdnet, adding that the settings can be changed and personnel can log health information on a web page if they do not want to use the app.
“The IOC has conducted independent third-party assessments on the application from two cyber-security testing organizations. These reports confirmed that there are no critical vulnerabilities.”
The outlet said that Beijing’s Games Committee had assured USA Today that personal information would not be disclosed unless it is “necessary.”
“Information of accredited media representatives will only be used for purposes related to the Olympic and Paralympic Winter Games,” it reportedly stated.
China has reportedly agreed to drop its censorship of western sites such as Instagram and Facebook for athletes at the Olympics because of “contractual obligations”, allowing stars to post on the sites.
Google ended some of its services in China more than a decade ago. The reasons behind the termination were censored.
More than 180 human rights groups have called on governments to carry out boycotts of the Games over the past year, with many describing the alleged treatment of the Uyghurs, who are widely thought to be suffering detainment and abuse in mass camps, as “genocide”.
The US House of Representatives accused the IOC of ignoring its human rights commitments by co-operating with China.
Concerns have been raised by the case of Peng Shuai, the Chinese tennis ace who appeared to vanish after a post she made alleging sexual abuse by a former prominent member of the ruling Chinese Communist Party was swiftly removed from a social media site.
Peng has since reappeared via clips released by state-affiliated media, but the Women’s Tennis Association has been outspoken in its fears that she is being coerced and is not free and well, suspending all tournaments in China until bosses are convinced the situation has been satisfactorily resolved.
The politician named in the allegations, Zhang Gaoli, has been pictured meeting IOC president Thomas Bach before Peng’s claims came to light, and is also said to have led the steering committee responsible for securing and arranging the Games.
Comments are closed.