Phone app Olympic athletes must use is easily hackable, cybersecurity group warns
- Researchers at University of Toronto’s Citizen Lab characterise defect as ‘devastating flaw’ in app supposed to track Covid-19 cases and offer logistical help
- Citizen Lab also says app contains file of 2,442 ‘illegal’ words related to topics like Xinjiang and Tiananmen Square, though no censoring filter is found
A phone app athletes at the Beijing Winter Olympics are required to use contains security flaws that make it vulnerable to privacy breaches of personal and medical information, a cybersecurity watchdog group said on Tuesday.
The app – built by the Games organisers to monitor Covid-19 cases and provide logistical aid to athletes – includes encryption of voice messages and file transfers that can be “trivially sidestepped”, researchers at the University of Toronto’s Citizen Lab reported. They characterised the defect as a “devastating flaw”.
The app, called MY2022, provides encryption of some data during its transmission, but it does not verify the authenticity of recipient servers – meaning that hackers could easily intercept the data by impersonating the target server, the Citizen Lab researchers said.
Exploiting those deficits in the app’s so-called SSL certificate validation mechanism would enable an attacker to obtain “sensitive demographic, passport, travel, and medical information sent in a customs health declaration or to send malicious instructions to a victim after completing a form”, they wrote in their report.
“You can have the best encryption in the world but if you don’t know who it is that it needs to be encrypted to it’s not really worth much,” said Jeffrey Knockel, the report’s lead author.