Toronto lab discovers security flaws and censorship framework in Olympic app


TORONTO — Researchers at a Toronto-based tech lab have discovered security vulnerabilities and censorship frameworks in an app that all 2022 Beijing Olympics participants must use.

TORONTO — Researchers at a Toronto-based tech lab have discovered security vulnerabilities and censorship frameworks in an app that all 2022 Beijing Olympics participants must use.

The Citizen Lab, a research institute at the University of Toronto’s Munk School of Global Affairs and Public Policy that studies spyware, has discovered a “simple but devastating” flaw in the MY2022 application that causes audio files , health and customs forms pass passport details, medical and travel history vulnerable to hackers.

Researcher Jeffrey Knockel discovered that MY2022 does not validate certain SSL certificates, a digital infrastructure that uses encryption to secure applications and ensures that no unauthorized person can access information during transmission.

This validation failure means that the app can be tricked into connecting to malicious hosts it deems trustworthy, allowing the information the app transmits to servers to be intercepted and attackers to display fake instructions. to users.

“The worst case scenario is someone intercepts all the traffic and logs all the passport details, all the medical details,” said Knockel, a research associate, who investigated the app after a reporter curious about knowing his security duties approached him.

Olympic organizers have required all game participants, including athletes, spectators and members of the media, to download and start using the MY2022 app to submit health and customs information such as COVID-19 test results and vaccination status at least 14 days prior to arrival in China.

The app from a public company called Beijing Financial Holdings Group also offers GPS navigation and text, video and audio chat and the ability to transfer files and provide news and weather updates.

Knockel found that it’s unclear who the app is sharing highly sensitive medical information with.

The Olympic manual states that personal data such as biographical information and health-related data may be processed by Beijing 2022, the International Olympic and Paralympic Committees, Chinese authorities and “other persons involved in the implementation of the countermeasures (COVID-19)”.

Knockel says MY2022 outlines several scenarios in which it will disclose personal information without user consent, which include, but are not limited to, national security issues, public health incidents, and criminal investigations.

However, the app does not specify whether court orders will be required to access this information and who will be eligible to receive data.

The latest concern Knockel uncovered was that the app allowed users to flag “politically sensitive” content and found it contained a list of censorship keywords.

The list includes 2,442 political mandates, including some related to tensions in Xinjiang and Tibet, as well as references to Chinese government agencies. On the list are Chinese phrases translating to “Jews are pigs” and “Chinese are all dogs,” Uyghur terms for “the Holy Quran,” and Tibetan words referring to the Dalai Lama.

Knockel could not find evidence that the list was used by the app.

“We don’t know if they wanted it to be inactive or if they wanted it to be active, but either way it’s something that…can be activated with a simple press of a switch,” Knockel said.

The Citizen Lab disclosed the concerns it found with MY2022 to the organizing committees on December 3, giving them 15 days to respond and 45 days to fix the issues, before disclosing the issues publicly.

A new version of MY2022 for iOS users was released on January 6, but Citizen Lab said no issues were fixed with the update. In fact, Citizen Lab said the update introduces a new “Green Health Code” feature that collects more medical data and is vulnerable to attack due to its lack of SSL certificate validation.

The Beijing organizing committee did not respond to a request for comment.

The International Olympic Committee said in a statement that it had requested a copy of the Citizen Lab report to better understand its concerns.

The CIO noted that it conducted independent third-party assessments on MY2022 with two cybersecurity testing organizations and found that there were no critical vulnerabilities in the application.

Meanwhile, the Canadian Olympic Committee did not specifically address the report, but said it had reminded all Team Canada members that the Games presented a unique opportunity for cybercrime and that they should be very diligent in the face of these risks.

He said in a statement that he recommended Team Canada members leave personal devices at home, limit personal information stored on electronic devices brought to the Games, only connect to Wi-Fi official, disable transmission features when not in use and remove any Games-related links. applications when they are no longer needed.

Knockel recommends anyone going to the Olympics to use the app only when connected to networks they trust, such as a virtual private network (VPN).

Olympics participants should also consider taking conversations and other actions that aren’t required to be performed in MY2022 to other apps with better security, he said.

“But it’s tricky,” he said. “Even if they are aware of the app’s security flaws, they may not have a choice.”

This report from The Canadian Press was first published on January 18, 2022.

Tara Deschamps, The Canadian Press


Comments are closed.