A report found the app that will be used to monitor athletes’ health and travel data has a ‘devastating’ encryption flaw
With the Beijing Olympics just weeks away, concerns are mounting over a mandatory health app for competing athletes, after a new report revealed the app contains security flaws and a list of “politically sensitive” words that have been marked for censorship.
The report, published by University of Toronto’s research and strategic policy unit Citizen Lab, found that the My2022 app, which will be used to monitor athletes’ health and travel data, has a “devastating” encryption flaw that leaves users’ files and media vulnerable.
The problem, researchers say, is twofold: first, the app does not always verify that the servers where encrypted data is being sent are the intended servers, which could enable malicious actors to spoof or mimic that server’s identity to access those files. That could allow the attacker to, for instance, “read a victim’s sensitive demographic, passport, travel, and medical information sent in a customs health declaration or to send malicious instructions to a victim after completing a form”, the report said. Second, the app is not encrypting some sensitive data at all. Effectively, that means some sensitive data within the app, “including the names of messages’ senders and receivers and their user account identifiers”, is being transmitted without any security.
“Such data can be read by any passive eavesdropper, such as someone in range of an unsecured wifi access point, someone operating a wifi hotspot, or an internet service provider or other telecommunications company,” the report reads.
The Beijing Olympics are already taking place under a cloud of controversy. The US announced in December that it would stage a diplomatic boycott of the games over human rights concerns, as China continues to deny its years-long campaign against Uyghur minorities. US lawmakers have also proposed new legislation that would strip the International Olympics Committee’s (IOC) tax-exempt status over its refusal to challenge China on its human rights violations.
The encryption flaws in the app have raised further concerns, but how worried should visiting countries and athletes be? Though experts say general concerns about surveillance during the Olympics and the app are warranted, the reality is the app’s security flaws are probably more a reflection of poor design rather than sinister intent to surveil. In other words, athletes and others visiting the country during the Olympics should be as careful as they normally would when visiting China.
“The main thing that Citizen Lab has told us is that there is a substance behind our fears and concerns, but it’s also true that we have a tendency to demonize China,” said Jon Callas, the director of technology projects at the Electronic Frontier Foundation, a non-profit digital right group.
Callas and other experts say the Chinese government should certainly fix the security flaw, but that the flaw doesn’t necessarily open the athletes up to a higher risk of being surveilled by the government. And it’s not likely the encryption is faulty by design, said Kenton Thibaut, the resident China fellow of the Atlantic Council’s Digital Forensic Research Lab. It’s unlikely anyone intentionally sabotaged the encryption of the app in order to more easily access user information, she pointed out, because all the information is going to the government anyway.
“If you’re using Chinese apps, even if you’re not in China, they’ll still have access to the information that you submit because the data is ending up in a place where the government has control over and access to,” Thibaut said. “The app itself is made by a government entity, there would be no reason to do that.”
That said, the Olympics are a hugely important event for Beijing, Thibaut said, and it’s fair to expect a certain degree of monitoring, “especially for athletes who have perhaps indicated displeasure about not being able to speak out or displeasure about the IOC’s stance on China”.
Citizen Lab reported that there was a list of 2,422 political keywords described in the app’s codebase as “illegalwords.txt”. Though the function to censor these words did not appear to be active, the report said the keywords varied from references to pornography, mentions of the Tiananmen movement to some words in Uyghur including “the Holy Quran”, “injections”, and “forced demolitions”.
This is not unexpected, Callas said. “China does an awful lot of blocking of chat from absolutely everything and they throw their weight around in ways that are objectionable, with stuff like how much you can even mention that Taiwan exists,” he said. “They’re not going to allow free and unrestricted speech because they’re not that country.”
“When we agreed to let the Olympics happen in Beijing, we agreed implicitly that these are some of the things that were going to happen,” he continued.
However, there are regular precautions that those traveling to China, during the Olympics or otherwise, should take, Callus said. National Olympic Committees around the world have advised their teams to leave their personal devices behind and take burner phones instead.
“It should be assumed that every text, email, online visit, and application access can be monitored or compromised,” the United States Olympic and Paralympic Committee said in an advisory.
Callus said this should always be the case when traveling to China because all your personal information – from your contact list to your pictures – can be compromised.
“One reason for making sure you use a burner phone is your address book slash contacts list has sensitive information in it – in the sense that anybody who has your address book has, to some level of accuracy, your social graph and who you’re connected to,” he said. “What we learned from, for example, those Snowden drops nearly 10 years ago now, is that governments are far more interested to know who you are connected to and who you regularly talk to than what it is that you say.”
For athletes looking to communicate with their family or friends outside the country – particularly given families are not permitted to attend the Olympics due to Covid
– Callus said they should use a “reasonably secure” encrypted messaging app, including iMessage, Signal or WhatsApp.
“If the Chinese [government] has not shut it down, it’s probably OK,” he said. “That’s probably the best way to talk to people back home.”