[ad_1]
Anyone traveling to China for the 2022 Olympics should document their health status on the My2022 App.
But the software has serious security gaps, a report on cyber security states.
Athletes from all over the world are preparing to participate in the Beijing Winter Olympics. This year, the observance of the relevant health rules is also part of this. It is mandatory for athletes to install on their smartphones the official application called “My 2022”. But the application has shortcomings in data encryption. This is confirmed by a report of “Citizen Lab”, which is available exclusively to Deutsche Welle. This puts athletes, journalists and sports officials at serious risk from hackers. Their privacy is not protected and their data is not protected from theft and surveillance. Furthermore cyber forensics specialists found that the application contains a list of censors.
Great fear of digital espionage
However, data security at the Beijing Winter Games has been criticized: Germany, Australia, the United Kingdom and the United States have called on their national Olympic committees and athletes to leave their private phones and laptops at home. Instead they have to take with them extra equipment for the Olympics, so great is the fear of digital espionage.
That’s why the Dutch Olympic Committee has explicitly banned its athletes from bringing private smartphones and laptops to China. In the My2022-App athletes, coaches, reporters, sports officials and local employees must register their health records.
MY2022-App: tracking contacts and much more
The Winter Olympics start on February 4 and will be the second Games at the time of the Corona pandemic. It is therefore not surprising that there is a mandatory smartphone app. It was also used at the Summer Games in Tokyo last year. According to the official playbook of the International Olympic Committee (IOC), the obligation to install it applies to all those who will be in the so-called “Olympic bubbles” created specifically for athletes, coaches, reporters, sports officials, diplomatic representatives and thousands. local employees. In fact the application developed in China aims to monitor the health of participants in the Olympics and in cases of positive coronary tests to track contacts.
The application must include not only passport data and personal data on travel status, but also very private and sensitive medical information. For example, if you have recently suffered from Covid-19-like symptoms such as fever, fatigue, headache, dry cough, diarrhea or sore throat. Whoever comes from abroad must start to pass the health data in the application 14 days before entering the country.
Application-based contact tracking is seen in many countries as a modern way to combat the Covid pandemic19. But the Chinese My2022 app allows more than just tracking contacts: It regulates authorizations to access Olympic events, serves as a guide for visitors with information on the program and organization of sporting events, provides tourist services for visitors, and even includes chat functions ( text and audio), news feeds and data transfers for users. Or as stated in the description in the Apple app store: The My2022 application “offers a personalized service for different groups of users to enjoy the games in a comprehensive way with one application”.
Insecure data transmission in the application
Gaps in the app were discovered by Citizen Lab researchers who are doing digital security studies on human rights issues at the Munk School of Global Affairs at the University of Toronto. Citizen Lab has also been involved in the discovery of Pegasus spy software. The specific point of criticism is the so-called SSL certificates, which should ensure that data traffic occurs only between trusted devices and servers: According to the Citizen Lab report, they are not valid. This lack of SSL certificate authentication poses a serious security vulnerability. As a result, the application may be diverted to communicate with a malicious computer, allowing information to be intercepted or even malicious data to be returned to the application.
Citizen Lab researchers Jeffrey Knockel and Lotus Ruan have discovered vulnerabilities not only in relation to health data, but also with other important services in the app. This includes the application service that processes all file attachments as well as audio transmissions. The experts also found that the data traffic in the application for some services is not encrypted at all. This means that the chat service data in the application can be read very easily by hackers. “Our findings show that the My2022 application security measures are completely ineffective and do not protect sensitive data from being leaked to unauthorized third parties,” says Knockel.
Censorship? The list of censored terms raises questions
IT researchers also discovered a text file called “ilegalwords.txt”. It lists 2,442 keywords and phrases, mostly from Chinese written language, used in the People’s Republic of China, but also some terms from Uighur, Tibetan, Chinese written language used in Taiwan and Hong Kong, and from English. Among the many terms there are several insults, but also expressions referring to politically taboo topics in communist China, which are censored by the state, including: criticism of the Chinese Communist Party and its leaders, as well as keywords related to Falun Gong; Tiananmen protests; Dalai Lama; and the Uighur Muslim minority in the Xinjiang region. In Uighur, according to Citizen Lab included e.g. also the term “holy Qur’an”.
The cyber security expert in the current version of the application has not been able to find data for this censorship list to be actively used during use. It is also not very clear how this file actually exists. Jeffrey Kockel of Citizen Lab says, “Even if the illegalwords.s.txt file is not currently in use, My2022 contains encryption functions that read this file and can be used for censorship, so the censorship list is easily activated.”
The application already contains a reporting feature, in which its users can report other users if they consider the content of the message as suspicious or dangerous. Among the possible reasons for denunciation is the option of “delicate political content”, as censored political topics are commonly described in China.
In My2022-App private and medical data, according to Citizen Lab researchers are not sufficiently protected.
No reaction of the Chinese Organizing Committee to security gaps
In early December 2021 the Citizen Lab confidentially communicated the findings to the Organizing Committee. The Citizen Lab – as is common in the case of security vulnerabilities – has urged Chinese Olympic organizers to avoid weaknesses in the system before the report is released. “So far the Organizing Committee has not reacted to the revelations,” Jeff Knockel told DW.
Although some App-Store updates have been published by Apple and Google in the meantime, verification by Citizen Lab security researchers undertaken on January 17, 2022 has found no changes regarding the censorship list and so-called vulnerabilities.
In the playbook for athletes and officials, the International Olympic Committee writes that the My2022-App is “in line with international standards as well as Chinese legislation.”
But Citizen Lab, based on its findings, concludes that the transmission of personal information “could be a direct violation of Chinese data protection laws.” Because in China according to the data protection regulation information about a person’s health condition must be communicated and recorded in an encrypted manner.
The results presented in the Citizen Lab report also call into question the western tech giants that offer My2022-App: Apple and Google. “Both Apple and Google, according to the norms, prohibit the application from transmitting sensitive decoded data. “Both have to decide now if unresolved security issues should result in the shutdown of app stores,” Knockel told DW.
The 2022 Organizing Committee in Beijing defends the App, stating that it has been “successfully verified” by Google, Apple and Samsung. “We have taken measures for the encrypted transmission of personal information, to protect private data,” the committee told China’s Xinhua news agency on Monday.
top channel
[ad_2]
Source link