IOC defends the mandatory Chinese Olympics app after it was slammed for security concerns

Citizen Lab reported that the MY2022 app for the upcoming 2022 Winter Olympics—which is available to download on the App Store or Google Play—has security flaws that could leave its users at risk. However, the International Olympic Committee (IOC) has defended the app, saying that “special measures” needed to be put in place to “protect the participants of the Olympic and Paralympic Winter Games Beijing 2022 and the Chinese people.”

On 18 January, Citizen Lab released that there is a “simple but devastating flaw” where encryption protecting users’ voice audio and file transfers can be “trivially sidestepped”. The report caused outrage, as thousands of people at the Games will have no choice but to download the app if they want to represent their country. This includes not only competing athletes, but audience members, and members of the press.

“Health customs forms which transmit passport details, demographic information, and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users,” added Citizen Lab.

Their analysis additionally found that the MY2022 app fails to validate SSL certificates—which uses encryption and digital signature technology to provide both privacy and integrity to data in transit. The failure to validate means that the app can be deceived into connecting to a malicious host, allowing information transmitted to servers to be intercepted. It also allows the app to display spoofed content that appears to originate from trusted servers. 

Source: Citizen Lab

Although some connections were not vulnerable, Citizen Lab found that SSL connections to at least the following servers were. They include:

  • my2022.beijing2022.cn
  • tmail.beijing2022.cn
  • dongaoserver.beijing2022.cn
  • app.bcia.com.cn
  • health.customsapp.com

They even found that some sensitive data is transmitted without any SSL encryption or any security at all. The data can also be read by any passive eavesdropper—like someone in the range of an unsecured WiFi access point, as well as someone operating a WiFi hotspot, an Internet Service Provider or any other telecommunications company.

However, an IOC spokesperson justified the app’s security issues by saying that due to the COVID-19 pandemic, “special measures” needed to be put in place. They also defended the app by saying it received approval from the Google Play store and the App Store.

“… A closed-loop management system has been implemented… The ‘My2022’ app supports the function for health monitoring. It is designed to keep Games-related personnel safe within the closed-loop environment,” said the IOC.

IOC also mentioned that it is “not compulsory” to install the app on cell phones specifically. Users can instead “log on to the health monitoring system on the web page instead”.

“The IOC has a responsibility to ensure user privacy and security is protected for any applications and systems used during the Olympic Games. The IOC’s comments suggest that rather than taking that responsibility seriously, they are in fact hoping to minimize the risks,” said Ron Deibert, director of Citizen Lab.

As of 17 January 2022, the developers released version 2.0.5 of the iOS version of MY2022 to the App Store. However, Citizen Lab found that the issues they reported “had not been resolved”. 

[ SOURCE, IMAGE SOURCE ]

Recent Posts

ChargEV deploy 6 EV Charge Points at Aeon Mall Taiping

If you're heading to Taiping, there are now more EV chargers in town. ChargEV has…

7 hours ago

JomCharge and DBKL turn on EV Chargers at Laman Rimbunan Kepong

JomCharge and DBKL continue to turn on more street-level EV chargers in Kepong and the…

8 hours ago

Microsoft Surface Laptop and Surface Pro with Snapdragon X2 available in Malaysia on 23 July, priced from RM6,999

Microsoft has announced that its latest Surface Laptop 8 and Surface Pro 12 laptops powered…

13 hours ago

Xiaomi SkyNomad: Here’s your first official look at Xiaomi Auto’s new SUV series

Xiaomi Auto has officially revealed a new product line called Xiaomi SkyNomad. Also known as…

18 hours ago

Malaysia now targets to have 30,000 EV charge points by 2030 – half of Singapore’s 2030 target

The government now aims to have 30,000 EV charge points (EVCPs) by 2030, according to…

1 day ago

Oppo Reno16 Series launched in Malaysia: Up to 200MP cameras and 7,000mAh battery from RM1,999

Oppo Malaysia has officially launched the Reno16 Series. This year's lineup consists of three models:…

2 days ago

This website uses cookies.