Enlarge image
The Winter Olympics in China are about to begin: now there is criticism of the official app
Photo: NOEL CELIS / AFP
IT security researchers have discovered a potential technical issue in the official app for the Olympic Winter Games in China. Because of a "simple but devastating vulnerability" in the encryption technology, personal information could be intercepted during transmission, warn researchers at the Canadian Citizen Lab at the University of Toronto. Athletes and other participants in the Olympic Winter Games in Beijing must use the "My2022" mobile phone program at the behest of the organizers to prevent the pandemic.
Health data such as medical history, vaccination status, PCR test results, daily temperature measurements in the 14 days before the games, previous trips and passport details are entered into the app. However, the app also offers functions such as text and audio chat, medal table, news, weather and data transfer. The researchers raise the question "whether the encryption for surveillance purposes was deliberately sabotaged or whether the error was caused by the developers' negligence".
They discovered a list of 2442 keywords for possible censorship and moderation of content, but this was not activated.
Among other things, it is about Tibet, Xinjiang and possible criticism of the Communist Party, but also about pornography.
The words described as "illegal" are mostly in Chinese, but also Uyghur or Tibetan in the list.
According to the analysis, these include »Dalai Lama«, »Tian'anmen« and »Koran«.
Not an atypical feature
It is unclear why the function is not activated.
However, the researchers warned that it could be used via an update.
Such lists are often built into Chinese apps as part of legal requirements.
"My2022" also allows users to report "politically sensitive" content.
The researchers can only speculate about the causes of the encryption deficiencies. Since most of the sensitive information in the app goes to official bodies anyway, it would be of little help if the authorities intercepted "their own data," they write. The researchers therefore consider a “major official conspiracy” to be unlikely. One hypothesis is that encryption may have been deliberately restricted to allow the app to work over China's networks, which use surveillance technology more than other countries.
The organizers of the games starting on February 4 were informed on December 3 and asked to rectify the defects within 45 days.
As of Tuesday, there was no response, the report said.
The problems have not been resolved either.
For this reason, the decision was made to publish the findings.
Someone could step in
According to the researchers, the weak point in the encryption is that the program does not check several so-called SSL certificates and therefore there is no certainty that the data is really going to the intended server.
So someone could intervene and trick the sender into sending the data to another server to intercept it.
According to the experts, some data is also sent without any encryption, which enables spying even on unsecured WLAN networks or by Internet providers.
Anyone with access to the corresponding network could easily understand who is chatting with whom.
»My2022« was developed by the state-owned Beijing Financial Holdings Group on behalf of the organizing committee.
The app makes no secret that it shares data with a number of organizations.
These include the organizers of the Winter Games, safety and health authorities, the International Olympic Committee (IOC) and other partners involved in implementing the measures against Covid-19.
According to press reports, several countries are giving their athletes "clean" mobile phones to install "My2022" on, out of concern for private data.
The Chinese organizers rejected allegations of espionage.
They strictly adhered to the laws protecting personal information.
The Citizen Lab report said the insecure data transfer could violate not only the requirements of Google and Apple's app stores, but also China's own privacy laws.
mbo/dpa
