Citizen Lab reported that the MY2022 app for the upcoming 2022 Winter Olympics—which is available to download on the App Store or Google Play—has security flaws that could leave its users at risk. However, the International Olympic Committee (IOC) has defended the app, saying that “special measures” needed to be put in place to “protect the participants of the Olympic and Paralympic Winter Games Beijing 2022 and the Chinese people.”
On 18 January, Citizen Lab released that there is a “simple but devastating flaw” where encryption protecting users’ voice audio and file transfers can be “trivially sidestepped”. The report caused outrage, as thousands of people at the Games will have no choice but to download the app if they want to represent their country. This includes not only competing athletes, but audience members, and members of the press.
“Health customs forms which transmit passport details, demographic information, and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users,” added Citizen Lab.
Their analysis additionally found that the MY2022 app fails to validate SSL certificates—which uses encryption and digital signature technology to provide both privacy and integrity to data in transit. The failure to validate means that the app can be deceived into connecting to a malicious host, allowing information transmitted to servers to be intercepted. It also allows the app to display spoofed content that appears to originate from trusted servers.
Although some connections were not vulnerable, Citizen Lab found that SSL connections to at least the following servers were. They include:
They even found that some sensitive data is transmitted without any SSL encryption or any security at all. The data can also be read by any passive eavesdropper—like someone in the range of an unsecured WiFi access point, as well as someone operating a WiFi hotspot, an Internet Service Provider or any other telecommunications company.
However, an IOC spokesperson justified the app’s security issues by saying that due to the COVID-19 pandemic, “special measures” needed to be put in place. They also defended the app by saying it received approval from the Google Play store and the App Store.
“… A closed-loop management system has been implemented… The ‘My2022’ app supports the function for health monitoring. It is designed to keep Games-related personnel safe within the closed-loop environment,” said the IOC.
IOC also mentioned that it is “not compulsory” to install the app on cell phones specifically. Users can instead “log on to the health monitoring system on the web page instead”.
“The IOC has a responsibility to ensure user privacy and security is protected for any applications and systems used during the Olympic Games. The IOC’s comments suggest that rather than taking that responsibility seriously, they are in fact hoping to minimize the risks,” said Ron Deibert, director of Citizen Lab.
As of 17 January 2022, the developers released version 2.0.5 of the iOS version of MY2022 to the App Store. However, Citizen Lab found that the issues they reported “had not been resolved”.