The 2022 Winter Olympics in Beijing, China, don't begin for a couple more weeks and the event is already clouded in controversy.
Over 180 human rights organizations have called for a boycott of the Olympics due to the Chinese government's engagement in human rights violations against the Uyghur people within its borders.
Multiple countries, including the United States, Canada, and the United Kingdom, are diplomatically boycotting the games, meaning athletes from these countries will compete but government officials will not attend.
Now, the mobile app required for all attendees of the games, MY2022, has been found to have a "simple but devastating flaw" in its encryption protecting the user's personal information, according to a report from Citizen Lab of the University of Toronto.
What information does the MY2022 app collect?
The MY2022 app is required to be used by any person in attendance of the upcoming Olympic games, including athletes, members of the media, and spectators.
The app is used as part of a "closed loop" system that the Chinese government is implementing so that attendees can submit their health status, as COVID-19 testing is part of daily protocols.
Citizen Lab describes the other information the app collects:
"For domestic users, MY2022 collects personal information including name, national identification number, phone number, email address, profile picture, and employment information and shares it with the Beijing Organizing Committee for the 2022 Olympics.
For international users, the app collects a different set of personal identifiable information including users' demographic information and passport information (i.e., issue and expiration dates) as well as the organization to which they belong."
Vulnerabilities in the Olympics app
Citizen Lab reports that it discovered two glaring vulnerabilities in the MY2022 app: failure to validate SSL certificates and failure to encrypt sensitive data.
This infographic from the report displays the benefits of having SSL certificate validation:
What does this mean for the app? Citizen Lab discusses:
"Our analysis found that MY2022 fails to validate SSL certificates, allowing an attacker to spoof trusted servers by interfering with the communication between the app and these servers. This failure to validate means the app can be deceived into connecting to a malicious host while believing it is a trusted host, allowing information that the app transmits to servers to be intercepted and allowing the app to display spoofed content that appears to originate from trusted servers."
But that's not all. Regarding the second vulnerability:
"However, we also found that some sensitive data is transmitted without any SSL encryption or any security at all. We found that MY2022 transmits non-encrypted data to 'tmail.beijing2022.cn' on port 8099.
These transmissions contain sensitive metadata relating to messages, including the names of messages' senders and receivers and their user account identifiers. Such data can be read by any passive eavesdropper, such as someone in range of an unsecured WiFi access point, someone operating a WiFi hotspot, or an Internet Service Provider or other telecommunications company."
After discovering these vulnerabilities, Citizen Lab made the right decision to disclose its findings to the Beijing Organizing Committee for the 2022 Olympic Games, giving them a 15-day deadline to respond and a 45-day deadline to fix the reported issues. As of the report's publishing date, January 18, Citizen Lab had not received a response.
Olympics app may violate privacy laws
Researchers believe that these vulnerabilities may violate Apple's App Store Review Guidelines, which require "appropriate security measures to ensure proper handling of user information collected." Apps that violate these guidelines are subject to removal from the App Store.
Similarly, researchers think the app also violates Google's Play Store privacy policies, as findings have shown how "MY2022 fails to properly encrypt sensitive information including passport details, demographic information, and travel and medical histories."
But that's not all.
The MY2022 app may even be in violation of China's own privacy laws. China has prioritized national security over individual protection when it comes to privacy, but it still has measures to protect individuals and companies.
China's own national standard on information security technology pertaining to personal information says it should be transmitted and stored in an encrypted manner, but that is not the case for the MY2022 app.
Researchers say that "MY2022's insecure transmission of personal information may constitute a direct violation of China's privacy laws."
Citizen Lab concludes its report by noting that while these findings are concerning for those in attendance of the 2022 Winter Olympics, they are not in the least bit surprising considering China's track record when it comes to privacy.
For more detailed information on the MY2022 app and its privacy concerns, see the report from Citizen Lab, Cross-country Exposure: Analysis of the MY2022 Olympics App.