Story at a glance
- Citizen Lab, an internet watchdog group, published a report that detailed serious security flaws within China’s MY2022 app.
- The app was created for all participants of the 2022 winter Olympics to use for real-time chat and file transfers for sensitive information like passports and health data.
- Citizen Lab found some of the sensitive data held on MY2022 was not encrypted, allowing it to be easily hacked.
A new report is flagging serious security flaws in an app that is mandatory for all attendees of the 2022 winter Olympics just weeks before the games are scheduled to begin.
Citizen Lab, an internet watchdog organization, published a report this week that details how an app called MY2022, mandatory for all attendees of the 2022 Olympic Games, has a simple but “devastating” flaw where encryption protecting users’ voice audio and file transfers can easily be hacked and sidestepped.
Citizen Lab also said that health customs forms that transmit passport details, demographic information and medical and travel history are also vulnerable within MY2022. Some sensitive data stored on the app was found to be non-encrypted, including the names of messages’ senders and receivers and their user account identifiers.
Such data could be read by any “passive eavesdropper,” which Citizen Lab’s report described as someone in range of an unsecured WiFi network, like through a hotspot operator or any internet service provider.
The watchdog says an attacker could hack the app’s system and fake instructions to users.
MY2022 is a multifunctional app and was created for Olympic attendees to chat in real time through voice audio chat, file transfers and offer news and weather updates regarding the games. According to Citizen Lab, the app can also be used to submit required health customs information for those visiting China from abroad, like passport details, demographic information and travel and medical histories.
The app also allows for users to report “politically sensitive” content, including a censorship keyword list that targets a variety of political topics including domestic issues like Xinjiang and Tibet. The list is present inactive, according to Citizen Lab.
In December, Citizen Lab disclosed the security issues it identified to the Beijing Organizing Committee for the 2022 Olympics and Paralympic winter games, with a deadline of 15 days to respond and 45 days to fix the identified issues. As of Jan. 18, Citizen Lab hasn’t received a response.
However, on Jan. 17 a software update was released for MY2022 which was analyzed by Citizen Lab and found to have not fixed the issues reported.
Citizen Lab’s report comes as many countries are advising their athletes to not take their personal smart phones to the Olympics in Beijing, but instead bring temporary phones, also known as burner phones, according to The Associated Press (AP).
The U.S. Olympic & Paralympic Committee also issued an advisory to athletes that said, “assume that every device and every communication, transaction and online activity will be monitored,” the AP reported.
China has a long history of collecting personal data, with Citizen Lab saying Chinese apps ranging from banking apps to video streaming platforms have been found to excessively collect sensitive user data, often without user consent.
“While we found glaring and easily discoverable security issues with the way that MY2022 performs encryption, we have also observed similar issues in Chinese-developed Zoom, as well as the most popular Chinese Web browsers,” said Citizen lab’s report.
This isn’t the first controversy involving the upcoming winter Olympics, as activists are warning athletes to refrain from speaking out against China over fears that athletes could face prosecution.
Under the International Olympic Committee’s guidelines, athletes may express their views, including when speaking to the media, during team meetings, through social media channels and on the playing field, but only if the expression is not targeted, directly or indirectly, against people, countries, organizations and/or their dignity, among other exceptions.
“This IOC rule combined with the opaque Chinese system places every athlete at risk,” athlete advocacy group Global Athlete said in a statement earlier this week.
READ MORE STORIES FROM CHANGING AMERICA