Mandatory Olympic apps have “catastrophic” encryption flaws

Beijing: According to Cyber ​​Security Watchdog, the app that every participant in the upcoming Beijing Olympics must use has a cryptographic flaw that could leak personal information. A “simple but catastrophic flaw” in the encryption of the MY2022 app, used to monitor COVID and required for athletes, journalists and other game participants in the Chinese capital, provides health information, voice messages and other data. It may leak. Warned Jeffrey Knockel, author of the Citizen Lab report.

The International Olympic Committee has confirmed that users can disable the app’s access to parts of their mobile phones, and that two unnamed cybersecurity organizations have rated it as “no critical vulnerabilities.” I responded to the report. “Users can … control what the app can access on their device,” the committee told AFP, adding that it doesn’t need to be installed on mobile phones. “Certified personnel can log on to the web page’s health monitoring system instead.”

The Commission said it sought the report from Citizen Lab “to better understand their concerns.” Citizen Lab notified the China Games Organizing Committee in early December, responding within 15 days and resolving the issue within 45 days, but said there was no response. “China has a history of undermining cryptographic techniques for performing political censorship and surveillance,” Knockel wrote.

“Thus, it makes sense to ask if the app’s encryption was deliberately compromised for surveillance purposes, or if the flaw resulted from the developer’s negligence,” he continued. There is a problem if you interfere with the encryption of MY2022. ”This flaw affects SSL certificates and allows online entities to communicate securely.

MY2022 does not authenticate the SSL certificate. That is, other parties can access your app’s data, but the data is sent without the usual SSL certificate encryption. The app is transparent about medical information collected as part of China’s efforts to screen cases of COVID-19, but “it is unknown with whom or with which organization this information is shared.” I am. MY2022 also contains a list of Chinese “politically sensitive” phrases called “illegalwords.txt”. Many of these are related to the political situation in China or the Tibetan and Uighur Muslim minorities.

These include keywords such as “CCP evil” and Chinese President Xi Jinping, but Mr. Knockel said it is unclear whether this list is being actively used for censorship purposes. Due to these features, the app may violate both Google and Apple’s policies regarding smartphone software, “also violates China’s own laws and national standards for privacy protection, and has potential for future relief. We provide the means, “he wrote. -AFP