A report reveals security flaws in the Beijing Games app

Anyone going to China for the 2022 Games must document their health. The My2022 app is intended for this purpose, but it has serious security holes, according to a report available exclusively to DW. Athletes around the world prepare for the Winter Olympics in Beijing. This year, preparations also include observing health regulations due to the COVID-19 pandemic. Athletes are required to install the official My 2022 app on their smartphone. However, the data is poorly encrypted by the app, which could leave Olympic athletes, journalists and sports officials vulnerable to hacking, privacy breaches and data breaches, according to a report from the University of Toronto’s multidisciplinary Citizen Lab, available exclusively to Deutsche Welle. As a result, athletes, journalists and sports officials are exposed to serious risks. Your privacy can be violated and your data will not be protected from theft and monitoring. Also, computer forensics experts found a watchlist in the app. Data security has already been criticized at the Beijing Winter Games: Germany, Australia, the United Kingdom and the United States are asking their Olympic committees and athletes to leave their personal cell phones and laptops at home. Instead, they suggest bringing only temporary hardware into games, which is the fear of digital espionage. Precisely for this reason, the Dutch Olympic Committee has explicitly prohibited athletes from bringing smartphones and personal laptops to China. My2022: Contact tracing and more The Winter Olympics start on February 4th and will be the second largest Olympic event in the midst of the coronavirus pandemic. So it’s no surprise that there is a smartphone app, just like the recent Tokyo Games, to track potential injuries to athletes. According to the International Olympic Committee (IOC), everyone in a specially created “Olympic bubble”, be it athletes, coaches, reporters, sports officials or thousands of local employees, must enter their health data into the My2022 app or into a website. The official purpose of the application developed in China is to monitor the health of Olympic participants and trace contacts in case of positive tests for covid-19. Not only passport data and personal travel status information are entered into the application, but also confidential medical information. For example, if a person has recently had symptoms typical of Covid-19, such as fever, fatigue, headache, dry cough, diarrhea or sore throat. Those coming from abroad must start entering health data 14 days before entering the Asian country. In many countries, app-based contact tracing is considered a modern way to combat the novel coronavirus pandemic. But the Chinese application My2022 goes much further: it also organizes access to Olympic events, provides comprehensive information to visitors about the competition program and its organization, provides tourist services for visitors and even has chat functions (text and voice), news feed and file transfer for users. Or as the description in the Apple Store says: the app offers the option to tweak the settings for different types of users to “enjoy the Olympics from all sides in one app”. Unsecured data transmission Researchers at Citizen Lab have discovered the vulnerabilities in the app, which conducts cybersecurity research on human rights issues and belongs to the University of Toronto’s Monk School of Global Affairs. Citizen Lab has already been involved in exposing the Pegasus spyware. The specific point of criticism relates to so-called SSL certificates, which should ensure that data traffic occurs only between trusted devices and servers. But according to a Citizen Lab report, their authenticity has not been verified. This lack of validation of SSL certificates is a serious security flaw. As a result, the app can be tricked into connecting to a malicious server, causing data to be spied on or even sending malicious data to the app. This vulnerability was found by Jeffrey Knockel of Citizen Lab, not only in relation to health data, but also in other important services provided in the application, such as processing file attachments and voice messages. In addition, the IT expert also found that for some services, the data traffic in the application is not encrypted at all. This means that a spy can read the metadata of the app’s chat service very easily. “Our research shows that My2022 security measures are completely ineffective and do not protect sensitive data from leaking to third parties,” Knockel said. List of censored words IT researchers also discovered a small text file called “legalwords.txt”. It lists 2,442 terms and phrases, mostly from the written Chinese used in the People’s Republic of China, but also some terms in Uyghur, Tibet, written Chinese used in Taiwan, Hong Kong, and English. Among the many terms are profanity, as well as political expressions that are taboo in communist China and are subject to public scrutiny by the state. These are criticisms of the Chinese Communist Party and its leaders, as well as topics about Falun Gong, the Tiananmen Square protests, the Dalai Lama and the Muslim minority of Uyghurs in Xinjiang. The term “Holy Quran” in the Uyghur language, for example, is on the list, according to Citizen Lab. IT security experts have not been able to find any indication in the current version of the application that this watchlist is being actively used. It’s also not entirely clear why the file exists. “Although the ‘legalwords.txt’ file is not currently in use, My2022 already contains code functions that can read this file and use it for censorship, so enabling the censorship menu requires a bit of effort,” notes Nokel, of Citizen Lab. . However, what the app actually has is a reporting function where users of the app can report other users if they see the chat message as dangerous or suspicious. Among the possible reasons for the report is the “politically sensitive content” option, which is commonly used in China to describe topics subject to political censorship. Violating laws In early December, Citizen Lab secretly reported its findings to the Chinese Regulatory Commission. In doing so, as is usual when reporting security vulnerabilities, it asked Chinese Olympic organizers to fix the critical vulnerabilities within 45 days of the report being published. “So far, the organizing committee has not responded to what has been revealed,” Jeff Nokel told DW. New versions appeared in the Apple and Google app stores. But an audit by security researchers at Citizen Lab, which was conducted on January 17, 2022, found no changes regarding the control list and the mentioned vulnerabilities. In its Athletes and Officials Handbook, the IOC writes that the My2022 app “complies with international standards as well as Chinese legislation.” However, based on its disclosures, Citizen Lab concluded that unsafe transmission of personal information “could be a direct violation of Chinese data protection laws.” This is because, according to China’s data protection laws, information about a person’s health must always be stored and transmitted in an encrypted form. The findings of the Citizen Lab report also raise questions for the Western tech giants who offer My2022: Apple and Google. “Both Apple and Google prohibit apps from sending sensitive data without proper encryption, according to their policies. Both must now decide whether unresolved security issues constitute grounds for exclusion from their respective app stores,” Knockel told DW. However, the Beijing 2022 Winter Games Organizing Committee defended the app, noting that it had been “successfully reviewed” by companies such as Google, Apple and Samsung. “We have taken measures such as encryption of personal information to protect private data,” the commission told Xinhua on Monday. Author: Ingo Manteufel, Oliver Leno

Questions, criticism and suggestions? speak with us