Decorative stand promoting the Beijing Winter Olympics 2022 in China showing security flaws in mobile app

Security Flaws, Censorship Mechanisms Found in Winter Olympics App Provided to Athletes

When athletes arrive at the 2022 Winter Olympics in Beijing, they will be required to download an app called “MY2022.” This government-created app is ostensibly meant for contact tracing purposes, should an athlete test positive for Covid-19. However, according to privacy watchdog Citizen Lab, it will be packed with some unexpected extras: security flaws and possible censorship features.

A teardown of the app has found that portions of it have security flaws that fail to encrypt sensitive personal data properly. In addition, the researchers found a list of political terms that would be verboten in China embedded in the app’s code.

Winter Olympics athletes required to use questionable tracking app

The Citizen Lab examination of the Winter Olympics MY2022 app found serious encryption flaws in the segments that handle coronavirus testing results and various forms of personal data, including location and travel information. In some cases the app failed to verify the encryption signature properly during handoffs, and in other cases it did not encrypt the data at all.

The app also contained a hidden list of political terms that are generally flagged or banned by the Chinese government, though Citizen Lab says that the list was not being actively used in communications in any way.

Foreign athletes have been told that they will have special internet access that will circumvent China’s usual restrictive “great firewall,” which openly blocks and censors many outside sources of information. But they are also being asked to isolate themselves from the country’s population while at the Winter Olympics. Checking the possible spread of Covid-19 is the given reason, but the presence of a censorship list raises some obvious additional questions.

Citizen Lab says that it privately disclosed the security flaws to the Beijing Organizing Committee in early December, but has not received a response. The organization went public with the issue after an app update on Jan 18 did not appear to do anything to patch the vulnerabilities.

James Carder, Chief Security Officer at LogRhythm, expanded on exactly what information might be stolen from the phones of Winter Olympics athletes: “The Beijing Winter Olympics app stores details about the daily activity of each of the athletes that can be used to identify where they are, where they will be and when, and what sensitive personal information they have to share to ensure eligibility to compete in the Olympics. The app also grants permission to hear audio, allowing bad actors the possibility of engaging with the audio or listening to an athlete. Additionally, the information stored in the app can allow for attacks, both logical and physical, and other ways to influence and impact the personal lives of athletes.”

The censorship keyword list is a text file that contains 2,422 entries labeled as “illegal words.” The researchers say that lists of this nature are often embedded in Chinese apps. The list included the name of president Xi Jinping, Tiananmen Square, the Quran and the Dalai Lama among other items.

The security flaws are severe enough that they could provide reason for MY2022 to be delisted from Google and Apple’s app stores, which require certain baseline protections for apps handling certain categories of potentially sensitive personal information. Any app operating in China is required to provide the government with a way to access encrypted communications, but these security flaws extend beyond the presence of such a backdoor to provide relatively easy access to third-party hackers. This should put it in violation of China’s  own data privacy laws, which are very strong in regulating non-government entities handling any sort of personal information.

Ongoing history of security flaws in coronavirus tracing apps

There has been an ongoing pattern of coronavirus tracking apps being made and deployed quickly, with an unsurprising discovery of security and privacy issues coming along behind them. Along with many other countries, this has already happened in China; an initial Covid-19 tracking app maintained by internet giant Alibaba was found to be sending citizen data to law enforcement without the notification it was supposed to provide. And the “LeaveHomeSafe” app used in Hong Kong began seeing fake versions proliferate, some apparently created by government workers, after it became mandatory to enter government buildings as of November 1.

The security flaws with this particular app are believed to be bad enough that the personal information of Winter Olympics participants could be passively stolen by any hacker in range of an improperly secured WiFi network, without anyone even being aware that it had happened. An ambitious hacker could apparently even exploit the opening to issue fake messages and instructions to the athletes.

Chris Olson, CEO at The Media Trust, believes that the security flaws are more likely a standard oversight in the quick creation of an app rather than an attempt at a backdoor by the Chinese government:  “Poor app security is a leading cause of the rise in cyberattacks on mobile devices. While the security issues found in ‘My 2022’ are concerning, unfortunately they are not as unique as they appear. Not all mobile apps are susceptible to man-in-the-middle attacks, but most of them do contain undisclosed third parties who can access the same user data as the developer.”

Athletes are being asked either to install the app, or to log in through a web portal, 14 days before they arrive in Beijing to register for the health monitoring system. They will be required to submit health information to the system daily once the Winter Olympics are underway. The situation is troubling given that the U.S. Olympic & Paralympic Committee has issued an advisory warning athletes that they should not expect to have “any expectation” of data security and privacy while in the country.

Examination of the Winter Olympics MY2022 app found serious #security flaws in the segments that handle coronavirus testing results and various forms of #personaldata, including location and travel information. #respectdataClick to Tweet

Many nations have been advising their Winter Olympics athletes to leave their personal phones at home and bring a “burner” for the duration of the games, under the assumption that their communications will be monitored by the Chinese government. The possibility of a data breach raised by these security flaws only makes that advice more sound and prudent.

 

Senior Correspondent at CPO Magazine