Beijing 2022 Olympics mobile app suffers from security flaws, researchers say

by Liza Lynn | UPDATED Jan 18, 2022 08:19 AM EST

Essential software potentially exposes sensitive personal data, including health information, from athletes, officials and others, according to Citizen Lab

A mobile app that is mandatory for all participants at next month’s Winter Olympics in Beijing has security flaws that could make it easier for a hacker to steal sensitive personal information, cyber security researchers in Canada have warned.

The China-made app, Mai 2022, will be used to monitor the health of attendees, as well as facilitate the sharing of information up to and during the 2022 Games. Technicians from Citizen Lab, a human rights-focused cybersecurity and censorship research group at the University of Toronto, said they found the app failed to authenticate the identities of certain websites, leaving the transfer of personal data open to attackers.

In a report released Tuesday, Citizen Lab also said that the app didn’t properly encrypt sensitive metadata transmitted through the app’s messaging function, meaning any eavesdroppers operating a Wi-Fi hot spot could It can find out with whom and when users are communicating.

One of the report’s authors, Jeffrey Knockel, said the researcher found vulnerabilities in the iOS version of the app after downloading it and creating an account. They said they were unable to create an account on the Android version of the app, but found similar vulnerabilities by testing publicly available features.

Citizen Lab said the vulnerabilities were similar to those frequently found in other Chinese apps, leading it to believe they were more likely the result of China’s lax enforcement of cybersecurity standards than part of a deliberate government effort to steal data. Is.

Apple and Google, the makers of Android, did not immediately respond to requests for comment. The Beijing Olympic Committee did not respond to a request for comment.

The Beijing 2022 Handbook for Athletes and Officials says Mai 2022 aims to ensure the safety of participants of all sports and is “in accordance with international standards and Chinese law.”

This year’s Winter Olympic Games, which begin on February 4, are the most politically charged in decades. Several Western countries, including the US, Australia and the UK, have announced a diplomatic boycott of the Games, citing widespread human rights abuses, including a campaign to forcibly assimilate Turkic Muslim minority groups in the northwestern Chinese region of Xinjiang.

Beijing has dismissed other governments’ criticisms of its human rights record, saying they amounted to interference in China’s internal affairs. China’s foreign ministry has opposed attempts to politicize the Olympic Games.

Athletes, officials, media and all sports participants must download My 2022 and upload their travel plans, passport details and health information such as body temperature, respiratory symptoms and medications every day for two weeks prior to arrival. Will have to use it. in China. Users are required to continue using the App to upload information about their health status during the Games.

Other functions of the app, built by the state-owned fintech and investment company, include chat messaging, translation services and transportation and competition information.

With COVID-19, cyber security tops the list of concerns among the countries participating in the Games. American athletes have been advised by the US Olympic Committee to leave their personal cellphones at home and bring disposable or “burner” phones to China to prevent any technical surveillance. Authorities in Canada, the Netherlands and Great Britain have offered similar guidance to their own athletes. ,

Researchers at Citizen Lab said in a Tuesday report that My 2022 failed to validate SSL certificates, which are used to authenticate a website’s identity and ensure a secure connection. That flaw means the app can be tricked into connecting to a fake website designed to steal sensitive user data, Knockel said in an interview.

The researchers found that the messaging function of the app transmitted some important data without any encryption or security. The metadata, including the names of senders and recipients of messages and their user account identifiers, can be read by any passive eavesdropper operating a Wi-Fi hot spot, or an Internet service provider or telecommunications company, he said.

While they related the vulnerabilities in My 2022, the researchers said they were not particularly surprised because such vulnerabilities were often seen in apps developed by Chinese companies.

The report cited China’s contingency regulation as saying, “While we found clear and easily discoverable security issues with the way My 2022 encryption works, we found Chinese-developed Zoom as well as the most popular Chinese web browsers.” I have also seen similar issues.” Personal data collection prior to the recent passage of stricter data-protection laws.

The Canadian research group also said that they found a list of nearly 2,400 keywords, considered politically sensitive, buried inside the Android version of the app. The list appears to be inactive, the researchers said, though said it could be used to censor communications on the app.

He said that most of the words on the list are written in Simplified Chinese characters, with some words in Tibetan, Uighur, Traditional Chinese and English. Among the terms contained in the list were references to the anti-democracy protests on Tiananmen Square, the banned religious group Falun Gong and the 1989 crackdown in the name of Chinese President Xi Jinping.