South China Morning Post
Advertisement
Advertisement
Beijing Winter Olympics 2022
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
As the Beijing Winter Olympics draw closer, a cybersecurity group said that an app athletes are required to use can be easily hacked, putting their personal and medical information at risk. Photo: Reuters
China

Phone app Olympic athletes must use is easily hackable, cybersecurity group warns

  • Researchers at University of Toronto’s Citizen Lab characterise defect as ‘devastating flaw’ in app supposed to track Covid-19 cases and offer logistical help
  • Citizen Lab also says app contains file of 2,442 ‘illegal’ words related to topics like Xinjiang and Tiananmen Square, though no censoring filter is found
Beijing Winter Olympics 2022
Owen Churchill
Owen Churchill
Why you can trust SCMP

A phone app athletes at the Beijing Winter Olympics are required to use contains security flaws that make it vulnerable to privacy breaches of personal and medical information, a cybersecurity watchdog group said on Tuesday.

The app – built by the Games organisers to monitor Covid-19 cases and provide logistical aid to athletes – includes encryption of voice messages and file transfers that can be “trivially sidestepped”, researchers at the University of Toronto’s Citizen Lab reported. They characterised the defect as a “devastating flaw”.

The app, called MY2022, provides encryption of some data during its transmission, but it does not verify the authenticity of recipient servers – meaning that hackers could easily intercept the data by impersonating the target server, the Citizen Lab researchers said.

Exploiting those deficits in the app’s so-called SSL certificate validation mechanism would enable an attacker to obtain “sensitive demographic, passport, travel, and medical information sent in a customs health declaration or to send malicious instructions to a victim after completing a form”, they wrote in their report.

Screenshots by the Citizen Lab show the landing page and main user interface of the MY2022 app. Image: The Citizen Lab, Munk School, University of Toronto

“You can have the best encryption in the world but if you don’t know who it is that it needs to be encrypted to it’s not really worth much,” said Jeffrey Knockel, the report’s lead author.

Overseas athletes are required to download the MY2022 app and track their Covid status for 14 days ahead of their departure for China and for the duration of their stay there, according to a guide by the Beijing 2022 Organising Committee in conjunction with the International Olympic Committee (IOC).

Besides inadequate encryption protections, Citizen Lab also found that some user data was not encrypted at all.

The findings add to mounting concerns about the privacy and welfare of athletes taking part in the Games. Already, governments have advised athletes not to use their own devices while in China, while activists have warned of potential legal ramifications of speaking out against the Chinese government while in Beijing.

Omicron threat ‘under control’, no lockdown planned for Beijing Winter Olympics

“Chinese laws are very vague on the crimes they can use to prosecute people’s free speech,” Yaqiu Wang, a senior researcher at Human Rights Watch, said during a Tuesday event the group hosted about the Games.

Such concerns come atop criticism of the IOC’s selection of Beijing as host of the 2022 Winter Olympics and Paralympics because of China’s alleged human rights abuses in the Xinjiang Uygur autonomous region and elsewhere. Those objections have prompted governments, including the US, to announce diplomatic boycotts of the Games, though those countries are still sending athletes to compete.
Besides MY2022’s encryption issues, Citizen Lab researchers also found embedded in the app’s Android version a file marked “illegalwords” of 2,442 keywords related to politically sensitive topics like Xinjiang, the Tiananmen Square crackdown and the names of Chinese leaders. The researchers did not find evidence that the list was linked to any kind of censorship mechanism.

While mostly in simplified Chinese, the list also included words in the Uygur and Tibetan languages – an “uncommon” feature of keyword lists in Chinese software, according to the researchers.

The app also allows users to report “politically sensitive” content.

A diagram by the Citizen Lab shows how a lack of “SSL certificate validation” makes data vulnerable to breaches. Image: The Citizen Lab, Munk School, University of Toronto

Responding to the report, a Beijing 2022 Organising Committee official said on Wednesday that the app had been constantly tested and updated to counter potential vulnerabilities, but said that it was “not very surprising” some issues remained.

Speaking at an online media briefing about the Games, Yang Shu, the committee’s deputy director general of international relations, also said he was unaware about the embedding of a politically sensitive word bank, and vowed an investigation into the matter.

“It is not an intentional restriction from our side,” he said.

Don’t eat the meat in China, doping agency warns Olympic athletes

In their report, the researchers warned that the security pitfalls could violate guidelines of the Google and Apple app stores. Neither company immediately responded to requests for comment.

Despite assurances in IOC documents that the app’s data protection mechanisms complied with “international standards,” the researchers also said the security deficits could run afoul of China’s own privacy laws, “providing potential avenues for future redress”.

Citizen Lab’s Knockel said it was hard to speculate exactly how the flaws came about. But it was unlikely that the vulnerabilities were some kind of intentional back door installed at the direction of the Chinese government, he said, given that the sensitive data such as passport information and health status being transmitted through the app was intended for the government in the first place.

“In cases like this the simplest answer is usually the correct one – it’s just an oversight,” said Knockel. “Maybe it was rushed.”

Athletes test positive for Covid-19 inside Beijing’s Olympic bubble

Even so, the Games organising committee has not responded to a December 3 notice by Citizen Lab disclosing their findings, while an updated version of the app published on the Apple app store on Monday did not resolve the security issues raised, according to the report.

Also on Tuesday, Internet 2.0, a Canberra-based cybersecurity consultancy, recommended that athletes and visitors to the Games use burner phones and create new email and browser accounts for use on those phones “to mitigate the risk of sensitive information and personal data being collected”.

A number of national sporting bodies, including those of the US, Britain, Australia and the Netherlands, have reportedly already made similar recommendations to their athletes.

In a memo to US athletes obtained by USA Today, Team USA recommended using rental computers and burner phones, warning that “the data and applications on cell phones are subject to malicious intrusion, infection and data compromise”.

According to the Dutch newspaper de Volkskrant, the Dutch Olympic committee has barred athletes from using their own phones altogether and will furnish them with unused devices.

Additional reporting by Associated Press

2