Tuesday, January 18, 2022

Toronto lab finds security vulnerabilities, censorship framework in Olympic app


TORONTO — Researchers at a Toronto-based tech laboratory have uncovered security vulnerabilities and censorship frameworks in an app all 2022 Beijing Olympics attendees must use.

The Citizen Lab, a research institute at the University of Toronto's Munk School of Global Affairs and Public Policy that studies spyware, found a "simple but devastating" flaw in the MY2022 app that makes audio files, health and customs forms transmitting passport details, and medical and travel history vulnerable to hackers.

Researcher Jeffrey Knockel found MY2022 does not validate some SSL certificates, digital infrastructure that uses encryption to secure apps and ensures no unauthorized people can access information as it is transmitted.

This failure to validate means the app can be deceived into connecting with malicious hosts it mistakes as being trusted, allowing information the app transmits to servers to be intercepted and attackers to display fake instructions to users.

"The worst case scenario is that someone is intercepting all the traffic and recording all the passport details, all the medical details," said Knockel, a research associate, who investigated the app after a journalist curious about its security functions approached him.

Olympic organizers have required all games attendees, including athletes, spectators and media members, to download and start using the MY2022 app for submitting health and customs information like COVID-19 test results and vaccination status at least 14 days ahead of their arrival in China.

The app from a state-owned company called Beijing Financial Holdings Group also offers GPS navigation and text, video and audio chat functions and the ability to transfer files and provide news and weather updates.

Knockel found it's unclear with whom the app shares highly-sensitive medical information.

The Olympic playbook outlines that personal data such as biographical information and health-related data may be processed by Beijing 2022, International Olympic and Paralympic committees, Chinese authorities and “others involved in the implementation of the (COVID-19) countermeasures."

Knockel say MY2022 outlines several scenarios where it will disclose personal information without user consent, which include but are not limited to national security matters, public health incidents, and criminal investigations.

However, the app does not specify whether court orders will be required to gain access to this information and who will be eligible to receive data.

The final concern Knockel uncovered was that the app allows users to report “politically sensitive” content and found it has a censorship keyword list.

The list includes 2,442 political terms, including some linked to tensions in Xinjiang and Tibet, as well as references to Chinese government agencies. On the list are Chinese phrases translating to "Jews are pigs" and "Chinese are all dogs," Uyghur terms for "the Holy Quran" and Tibetan words referring to the Dalai Lama.

Knockel couldn't find evidence that the list was being used by the app.

"We don't know whether they intended for it to be inactive or whether they intended for it to be active, but either way, it's something that....can be enabled at the flick of a switch," said Knockel.

The Citizen Lab disclosed the concerns it found with MY2022 to organizing committees on Dec. 3, giving them 15 days to respond and 45 days to fix the issues, before it publicly disclosed the problems.

A new version of MY2022 for iOS users was released on Jan. 6, but Citizen Lab said no issues were resolved with the update. In fact, Citizen Lab said the update introduced a new "Green Health Code" feature that collects more medical data and is vulnerable to attacks because of its lack of SSL certificate validation.

Knockel recommends anyone headed to the Olympics only use the app when connected to networks they trust, like a virtual private network (VPN).

Olympic participants should also consider taking conversations and other actions that are not mandatory to complete in MY2022 to other apps with better security, he said.

"But it's tricky," he said. "Even if they are aware of the security vulnerabilities in the app, they might not have a choice."

This report by The Canadian Press was first published Jan. 18, 2022.

Tara Deschamps, The Canadian Press

No comments: