Canadian cybersecurity group Citizen Lab has released a report which listed down several security vulnerabilities in the MY2022 app which has been designed for extensive use at the upcoming 2022 Winter Olympics in Bejing next month.
For context, all participants, journalists, and attendees of the event are required to download the app 14 days prior to their departure to China. Aside from health monitoring, the app also includes features such as messaging, file transfers, Olympic news, and city guide services for Beijing.
According to Citizen Lab, the app fails to validate SSL certificates which means it is not able to properly verify to whom it is sending data. This would allow hackers to spoof trusted servers and display fake instructions to users, as well as access sensitive information in health customs forms.
Not only that, but the Toronto-based researchers also found that MY2022 fails to encrypt sensitive metadata, which includes the names of message senders, receivers, and their user account identifiers. This means that it is possible for a lot of parties including ISPs or even someone that is connected to an unsecured wifi access point, to access the data.
The most worrying part is the group found that the app allows users to report politically-sensitive content and uncovered a censorship keyword list in the Android version in a file named “illegalwords.txt”. The list contains 2,442 keywords, with the majority of them being politically motivated or involving vulgar words, though it appears that the list is inactive.
In response to the report, the International Olympic Committee (IOC) said that the MY2022 app has been independently assessed and was found to have no critical vulnerabilities. The Beijing Organising Committee for the games did not respond to the findings, but they released an update to the iOS version which did not fix any of the issues. Instead, a new feature called “Green Health Code” was added to collect travel document information and medical history information and was found to be similarly vulnerable.
Nevertheless, several countries have warned athletes not to bring their personal devices to China over fears of cybersecurity threats. For example, the U.S Olympic & Paralympic Committee have recommended the usage of burner phones as well as rental or disposable computers. On another hand, the Dutch Olympic Committee reportedly will be providing phones and laptops to athletes and staff which will be subsequently disposed once they come back from Beijing.