News

Mandatory My 2022 App Endangers Beijing Olympics Competitors

The mandatory application for the Beijing Winter Olympics, My 2022, has a number of security issues, making it vulnerable to hacking attacks, data leaks and surveillance.

Everyone who intends to attend the Olympics next month (including athletes, sports writers, sports management, etc.) is required to provide their health information to the Chinese authorities through the My 2022 mobile application.

However, according to a report from Citizen Lab, the app has a number of security issues that make it vulnerable to hacking, data breaches and snooping. In addition to encryption issues, My 2022 contains a list of keywords to be censored.

Shortly before the publication of the Citizen Lab report, the UK, Germany, Australia and the US urged their athletes not to take personal mobile devices to the Olympics and are ready to give them disposable phones. The Dutch Olympic Committee went even further and strictly prohibited its athletes from taking personal equipment to Beijing due to possible espionage by the Chinese authorities.

According to International Olympic Committee guidelines, athletes, coaches, journalists, management and all staff numbering in the thousands are required to provide health data through the My 2022 mobile application or website. The application, developed in China, is designed to monitor the health of participants and staff monitoring for possible COVID-19 infections.

Users also need to enter passport data, arrival / departure information, information about possible symptoms of coronavirus (high temperature, fatigue, headache, cough, sore throat and diarrhoea) in the application.

Persons arriving in Beijing from overseas should start entering relevant information 14 days before arriving in China.told in Citizen Lab.

There are applications for tracking the COVID-19 infection chain in many countries, but My 2022 combines this functionality with other services: manages access to events, acts as a guide and provides information about sports facilities and tourism services, acts as a messenger (text and audio), provides a news feed and allows sharing files.

According to a report from Citizen Lab, the application’s SSL certificates, which indicate that data is transferred exclusively between a trusted device and a server, have not been authenticated. In other words, My 2022 has serious encryption issues. Attackers can force an application to connect to a malicious host, allowing it to intercept communications or send malicious data in response.

Worse still, for some services in the application, the traffic is not encrypted at all. That is, outsiders can easily read the chat metadata.

The researchers also found a text file illegalwords.txt in the application containing 2,442 keywords and phrases, mostly written in Simplified Chinese (the main language used in the PRC). True, a small part of the words are written in Uighur, Tibetan, traditional Chinese (used in Hong Kong and Taiwan) and English.

Many keywords include profanity as well as expressions related to politically taboo topics in communist China that are censored by the state, including criticism of the Chinese Communist Party and its leaders. One example on the list reviewed by Citizen Lab is the term “Holy Quran” in Uighur.

There is no evidence in the current version of the app that this one is being actively used for censorship. Why it is present at all in the application is not yet clear.

Even if illegalwords.txt is not currently in use, My2022 already contains code functions that can read this file and apply it for censorship, so enabling censorship will be a breeze.said Citizen Lab specialist Jeffrey Knockel.

Let me remind you that we talked about the fact that the Chinese bank forced western companies to install tax software with backdoor, and also that the Chinese authorities use AI to analyse the emotions of Uyghur prisoners.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button