Olympics

Toronto lab finds security vulnerabilities, censorship framework in Olympic app

Researchers at a Toronto-based tech laboratory have uncovered security vulnerabilities and censorship frameworks in an app all 2022 Beijing Olympics attendees must use.

Says flaw makes audio files, medical and travel history at risk to hackers

A Toronto-based tech laboratory has found a "simple but devastating" flaw in the app all attendees must use at the Beijing Olympics next month. (Martin Bernetti/AFP via Getty Images)

Researchers at a Toronto-based tech laboratory have uncovered security vulnerabilities and censorship frameworks in an app all 2022 Beijing Olympics attendees must use.

The Citizen Lab, a research institute at the University of Toronto's Munk School of Global Affairs and Public Policy that studies spyware, found a "simple but devastating" flaw in the MY2022 app that makes audio files, health and customs forms transmitting passport details, and medical and travel history vulnerable to hackers.

Researcher Jeffrey Knockel found MY2022 does not validate some SSL certificates, digital infrastructure that uses encryption to secure apps and ensures no unauthorized people can access information as it is transmitted.

This failure to validate means the app can be deceived into connecting with malicious hosts it mistakes as being trusted, allowing information the app transmits to servers to be intercepted and attackers to display fake instructions to users.

"The worst-case scenario is that someone is intercepting all the traffic and recording all the passport details, all the medical details," said Knockel, a research associate, who investigated the app after a journalist curious about its security functions approached him.

WATCH | Explaining security flaws in the Beijing Olympics app:

Explaining the security flaw & censorship framework found in 'My2022' Beijing Olympic app

3 years ago
Duration 4:45
The Citizen Lab, a socio-political research group from the University of Toronto's Munk School of Global Affairs & Public Policy, found the Beijing 2022 companion app, to be used by Olympians and other attendees of the Games, has a security flaw that opens up any user's personal data to hackers. David Masson, chair of enterprise security at Darktrace, joined to explain the potential dangers of the app to its users.

Olympic organizers have required all games attendees, including athletes, spectators and media members, to download and start using the MY2022 app for submitting health and customs information like COVID-19 test results and vaccination status at least 14 days ahead of their arrival in China.

The app from a state-owned company called Beijing Financial Holdings Group also offers GPS navigation and text, video and audio chat functions and the ability to transfer files and provide news and weather updates.

Knockel found it's unclear with whom the app shares highly sensitive medical information.

Censorship keyword list

The Olympic playbook outlines personal data such as biographical information and health-related data may be processed by Beijing 2022, International Olympic and Paralympic committees, Chinese authorities and "others involved in the implementation of the [COVID-19] countermeasures."

Knockel said MY2022 outlines several scenarios where it will disclose personal information without user consent, which include but are not limited to national security matters, public health incidents, and criminal investigations.

However, the app does not specify whether court orders will be required to gain access to this information and who will be eligible to receive data.

WATCH | Cybersecurity experts at UofT voice concerns about Beijing Olympics app:

Cybersecurity experts concerned about 2022 Beijing Olympics app

3 years ago
Duration 3:44
Cybersecurity experts at the University of Toronto are voicing concerns about the My2022 app, which is required for all participants in the Beijing Winter Olympics.

The final concern Knockel uncovered was that the app allows users to report "politically sensitive" content and found it has a censorship keyword list.

The list includes 2,442 political terms, including some linked to tensions in Xinjiang and Tibet, as well as references to Chinese government agencies. On the list are Chinese phrases translating to "Jews are pigs" and "Chinese are all dogs," Uyghur terms for "the Holy Quran" and Tibetan words referring to the Dalai Lama.

Knockel couldn't find evidence the list was being used by the app.

"We don't know whether they intended for it to be inactive or whether they intended for it to be active, but either way, it's something that … can be enabled at the flick of a switch," said Knockel.

The Citizen Lab disclosed the concerns it found with MY2022 to organizing committees on Dec. 3, giving them 15 days to respond and 45 days to fix the issues, before it publicly disclosed the problems.

IOC requests copy of lab report

A new version of MY2022 for iOS users was released on Jan. 6, but Citizen Lab said no issues were resolved with the update. In fact, Citizen Lab said the update introduced a new "Green Health Code" feature that collects more medical data and is vulnerable to attacks because of its lack of SSL certificate validation.

The Beijing Organizing Committee said in a statement that the report failed to provide necessary evidence to support its conclusions and claimed the app is not compulsory to download on cell phones.

It said the Google Play store and Apple's App Store had both approved MY2022 for use. Neither Google nor Apple responded to a request for comment.

The International Olympic Committee said in a statement that it has requested a copy of the Citizen Lab's report to better understand its concerns.

The IOC noted it has conducted independent third-party assessments on MY2022 with two cyber-security testing organizations and found there are no critical vulnerabilities in the app.

Meanwhile, the Canadian Olympic Committee did not address the report specifically, but said it has reminded all members of Team Canada that the Games present a unique opportunity for cybercrime and they should be extra diligent about these risks.

It said in a statement it has recommended Team Canada members leave personal devices at home, limit personal information stored on electronics brought to the Games, only connect to official Wi-Fi, turn off transmitting functions when not in use and remove any Games related apps when they're no longer necessary.

Knockel recommends anyone headed to the Olympics only use the app when connected to networks they trust, like a virtual private network.

Olympic participants should also consider taking conversations and other actions that are not mandatory to complete in MY2022 to other apps with better security, he said.

"But it's tricky," he said. "Even if they are aware of the security vulnerabilities in the app, they might not have a choice."

Add some “good” to your morning and evening.

Get up to speed on what's happening in sports. Delivered weekdays.

...

The next issue of The Buzzer will soon be in your inbox.

Discover all CBC newsletters in the Subscription Centre.opens new window

This site is protected by reCAPTCHA and the Google Privacy Policy and Google Terms of Service apply.