Just over two weeks before starting in Beijing, researchers claiming that an app that many participants are using has major security issues. Citizen Lab, a research center based at the University of Toronto’s Munk School of Global Affairs and Public Policy, said a “simple but devastating flaw” made it easy to circumvent encryption systems that were supposed to protect voice audio and file transfers.
“The worst case scenario is that someone is intercepting all the traffic and recording all the passport details, all the medical details,” said researcher Jeffrey Knockel. .
The app is used for health monitoring as part of COVID-19 countermeasures. Other resources include messages, Games news and logistical information. The International Olympic Committee says Beijing 2022’s local workforce is also using the app for things like timing and task management.
“The IOC conducted independent third-party assessments of the application from two cybersecurity testing organizations,” the IOC told Ploonge in a statement. “These reports confirmed that there are no critical vulnerabilities.” The IOC noted that instead of using the mobile app, participants can access a web-based health monitoring system. He said he requested the researchers’ report “to better understand their concerns.”
Citizen Lab notes that customs health forms containing passport information and travel and medical history are also at risk. Additionally, the researchers said that it was possible to spoof server responses, which could allow hackers to provide users with false instructions.
In addition to determining that the application does not encrypt some data transmissions, the team found that the application does not validate some SSL certificates. In these cases, the app cannot “validate who is sending confidential and encrypted data”. Although they were only able to create an account on the iOS app, the researchers believe the vulnerabilities also exist in the Android version of MY2022.
Citizen Lab said it informed the Games organizing committee of the issues on December 3 and said it had 15 days to respond and 45 days to correct the issues before publishing its findings. As of Tuesday, the researchers had not received a response.
An updated version of the iOS app, released on Sunday, did not resolve the issues. According to the researchers, the developers have added a feature called “Health Code Green” that asks for more travel details and medical history, which are also vulnerable to the SSL certification issue.
According to the researchers, the flaws could mean the app violates Apple’s App Store rules and Google’s Unwanted Software Policy. Also, MY2022 may be violating China’s privacy laws and standards.
Additionally, Citizen Lab noted that the app includes an option to report “politically sensitive” content. It also has a list of 2,442 censorship keywords, which it says are currently inactive, but includes terms related to topics like Xinjiang, Tibet, Chinese government agencies, and other socially sensitive subjects.
All products recommended by Ploonge are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.