A mobile app that’s mandatory for all participants in next month’s Winter Olympics in Beijing contains security flaws that could make it easy for a hacker to steal sensitive personal information, cybersecurity researchers in Canada warn.
The China-built app, My 2022, will be used to monitor the health of attendees, as well as facilitate information sharing, leading up to and throughout the 2022 Games. Technicians with Citizen Lab, a human rights-focused cybersecurity and censorship research group at the University of Toronto, said they found the app failed to authenticate the identity of certain websites, leaving transfers of personal data open to attackers.
In a report released Tuesday, Citizen Lab also said the app didn’t properly encrypt sensitive metadata transmitted through the app’s messaging function, which meant any eavesdropper operating a Wi-Fi hot spot could discover who users are communicating with and when.
The researcher found the vulnerabilities in the iOS version of the app after downloading it and creating an account, said Jeffrey Knockel, one of the authors of the report. They weren’t able to create an account on the Android version of the app but found similar vulnerabilities by testing its publicly available features, he said.
Citizen Lab said the vulnerabilities were similar to those frequently found in other Chinese apps, which led it to believe they are more likely to be the result of China’s lax enforcement of cybersecurity standards than part of an intentional government effort to steal data.
Beijing has been put on high alert ahead of the Olympics, with authorities trying to quickly stamp out Covid outbreaks wherever they pop up.
Photo: Kevin Frayer/Getty Images
Apple and Google, the maker of Android, didn’t immediately respond to requests for comment. The Beijing Olympic Committee didn’t respond to a request for comment.
The Beijing 2022 handbook for athletes and officials says My 2022 is intended to ensure the safety of all Games participants and “is in accordance with international standards and Chinese law.”
This year’s Winter Olympics Games, which begin Feb. 4, have been one of the most politically charged in decades. Several Western nations, including the U.S., Australia and the U.K., have announced diplomatic boycotts of the games, citing widespread human-rights abuses, including a campaign of forcible assimilation carried out again Turkic Muslim minority groups in the northwestern Chinese region of Xinjiang.
Beijing has rejected other governments’ criticisms of its human-rights record, saying they amount to interference in China’s internal affairs. China’s Foreign Ministry has protested what it says are attempts to politicize the Olympic Games.
Athletes, officials, media and other participants in the Games all will be required to download My 2022 and use it to upload their travel plans, passport details, and health information such as body temperature, respiratory symptoms and medications each day for two weeks before arriving in China. Users are required to continue using the app to upload information about their health condition during the Games.
Other functions of the app, built by a state-owned fintech and investment company, include chat messaging, translation services, and transport and competition information.
Along with Covid-19, cybersecurity has ranked at the top of the list of concerns among countries participating in the Games. American athletes have been advised by the U.S. Olympic Committee to leave personal cellphones at home and bring disposable or “burner” phones to China instead to prevent any technological surveillance. Officials from Canada, the Netherlands and Great Britain have offered similar guidance to their own athletes.
Citizen Lab researchers said in Tuesday’s report that My 2022 failed to validate SSL certificates, which are used to authenticate a website’s identity and ensure a secure connection. That flaw means the app could be deceived into connecting to a fake website built to steal sensitive user data, Mr. Knockel said in an interview.
The researchers found that the app’s messaging function transmitted some key data without any encryption or security at all. Metadata including the names of message senders and receivers and their user account identifiers can be read by any passive eavesdropper operating a Wi-Fi hot spot, or an internet service provider or telecom company, they said.
While they described the vulnerabilities in My 2022 as concerning, the researchers said they weren’t particularly surprised as such flaws were often seen in apps developed by Chinese companies.
“While we found glaring and easily discoverable security issues with the way that My 2022 performs encryption, we have also observed similar issues in Chinese-developed Zoom, as well as the most popular Chinese web browsers,” the report said, citing China’s casual regulation of personal data collection prior to the recent passage of strict data-protection laws.
The Canadian research group also said they found a list of about 2,400 keywords considered politically sensitive buried inside the Android version of the app. The researchers said the list appeared to be inactive, though said it could be used to censor communication on the app.
Most of the words on the list were written in simplified Chinese characters, with a small number of terms appearing in Tibetan, Uyghur, traditional Chinese and English, they said. Among the terms contained on the list were references to the 1989 crackdown on democracy protests at Tiananmen Square, the banned religious group Falun Gong, and the name of Chinese President Xi Jinping.
Write to Liza Lin at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
