Science Technology

Mandatory Chinese Olympics app has 'devastating' encryption flaw

By Salaam Times and AFP

A man uses his mobile phone at the spectator area of an Olympic venue in Beijing on December 15. [Noel Celis/AFP]

A man uses his mobile phone at the spectator area of an Olympic venue in Beijing on December 15. [Noel Celis/AFP]

An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog warned.

The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor COVID-19 and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab, on Tuesday (January 18).

The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organisations "confirmed that there are no critical vulnerabilities".

"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cell phones is not required "as accredited personnel can log on to the health monitoring system on the web page instead".

The committee said it had asked Citizen Lab for its report "to understand their concerns better".

Citizen Lab said it notified the Chinese organising committee of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.

A history of censorship, surveillance

"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.

"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic".

The flaws affect SSL certificates, which allow online entities to communicate securely.

MY2022 does not authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.

While the app is transparent about the medical information it collects as part of China's efforts to screen COVID-19 cases, he said "it is unclear with whom or which organisation(s) it shares this information".

MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.

These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.

Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress", he wrote.

In solidarity with China's oppressed Uighur Muslim population, the Global Imams Council has called on Muslims around the world to refrain from participating in or attending the 2022 Winter Olympics in Beijing.

Beijing has been committing a litany of violations in the northwestern region of Xinjiang, where more than a million people, most of them Uighurs, have been arbitrarily detained in "political re-education" camps.

Independent investigations and interviews with former camp inmates have brought to light physical and mental torture, brainwashing, systematic rape and sexual abuse inside the camps, which effectively serve as prisons.

Security risks in Chinese phones

Chinese phones have been coming under greater scrutiny around the world as studies continue to tie the devices to national security risks, censorship, privacy issues and data leaks.

Lithuania's Defence Ministry said in September that public institutions and consumers should be wary of using Chinese phones, warning about possible security flaws and data leaks.

The country's National Cyber Security Centre reported that it had found "cyber security risks" in two popular Chinese-made phones sold in Europe -- the Xiaomi Mi 10T 5G and the Huawei P40 5G.

In the Xiaomi -- the most popular smartphone in Europe -- it reported finding a built-in censorship tool that can block certain search terms in Chinese and also Latin script.

The censored terms appear to be ever-evolving, with 449 words or phrases on the blacklist in April 2021 and 1,376 by September. They include words in Chinese and also Latin script.

The blocked terms include "Free Tibet", "Long live Taiwan independence", "democracy movement", "student movement", "dictatorship", and the names of some Western companies and news outlets.

"We clearly saw that all of those key words are politically motivated," Lithuanian Vice Defence Minister Margiris Abukevicius told Voice of America (VOA).

"It is very, very worrying that there is a built-in censorship tool and of keywords, which filters or could filter your search on the web," he said.

The Huawei phone posed a threat because it automatically re-directed users to third-party app stores that could host virus-infected apps, said the report.

Do you like this article?

2 Comment

Comment Policy * Denotes required field 1500 / 1500

looking on the internet, I found some pictures. One of the pictures is heart breaking. The caption says; ((The Vietnamese photographer Nick Ut captured this chilling photograph on June 8, 1972. During the Vietnam conflict, the American army often used napalm during their missions, however this time one of the planes mistakenly hit the village of Trang Bang, wounding many civilians. Nick Ut brought the 9-year-old girl in this photograph to an American hospital where she was saved. After 17 skin grafts, the young girl went on to live a full life and even had two children.)) I don't mean to blame any country, and I was happy to read that she was rescued and that gave birth to two children; however, the ongoing situation of the world is going toward such a bad conclusion where the human beings will once again kill each other indiscriminately. One of the solutions is not to stop visiting games, conferences, meetings, joint projects that benefit the humans. In short, put all the weapons; first the nuclear weapons and then the rest of the weapons on fire, make the world and life peaceful and stop fighting forever. This message is to America, China, Russia, Europe and all other humans. Don't think that a soldier will die and that he should die for reasons such as the country, government, politics of your country, no, leave him to live beside his wife, love and children.

Reply

We know how stupid China is and how dirty the Chinese think. At the same time, we urge the United States to differentiate between the Afghan people and the Taliban. A little before, I read Tom West's words on the BBC website, which writes: (US Special Representative for Afghanistan says a portion of Afghanistan's frozen money may be paid as compensation to the families of the victims of the 9/11 attacks following court rulings but says a final decision has yet to be made. In an interview with BBC's Hafizullah Martoof, Thomas West stated that the money was not frozen by the US government but by banks there. He also said that the US government wanted part of the money to be released to Afghanistan for humanitarian aid but insisted it would not be given to the Taliban. In an exclusive interview with the BBC, Thomas West said his country's treatment of Afghanistan under the Taliban's banner depends on the Taliban's actions.) We have nothing to do with the Taliban and the Taliban government, nor is this government representative. Whatever the Taliban have done to the US, what the Arabs have done to them and what the Pakistani ISI has done to the US, revenge for these acts and terrorist activities should not be taken from the Afghan people. Afghans' money should be kept as a deposit.

Reply