The Fort Worth Press - Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst

USD -
AED 3.673015
AFN 64.000095
ALL 82.213633
AMD 367.28977
ANG 1.790403
AOA 917.503281
ARS 1487.545301
AUD 1.442356
AWG 1.8
AZN 1.702255
BAM 1.714216
BBD 2.014068
BDT 123.245347
BGN 1.69088
BHD 0.377025
BIF 2981
BMD 1
BND 1.293645
BOB 6.923833
BRL 5.161098
BSD 1.00011
BTN 95.501039
BWP 13.579273
BYN 2.873533
BYR 19600
BZD 2.011079
CAD 1.417105
CDF 2262.000181
CHF 0.808115
CLF 0.023741
CLP 934.369645
CNY 6.80325
CNH 6.805945
COP 3341.41
CRC 454.896049
CUC 1
CUP 26.5
CVE 96.931123
CZK 21.233701
DJF 177.720506
DKK 6.543645
DOP 58.894926
DZD 133.178994
EGP 49.620991
ERN 15
ETB 161.395791
EUR 0.87525
FJD 2.2377
FKP 0.747893
GBP 0.746195
GEL 2.644955
GGP 0.747893
GHS 11.424969
GIP 0.747893
GMD 73.506089
GNF 8770.461269
GTQ 7.629975
GYD 209.171465
HKD 7.839299
HNL 26.767174
HRK 6.595397
HTG 130.872086
HUF 314.598936
IDR 18076
ILS 3.04275
IMP 0.747893
INR 95.57295
IQD 1310.047113
IRR 1374999.999544
ISK 125.360234
JEP 0.747893
JMD 158.397097
JOD 0.70899
JPY 162.522498
KES 129.259905
KGS 87.449828
KHR 4027.416231
KMF 430.999987
KPW 900.00035
KRW 1506.415001
KWD 0.30996
KYD 0.833268
KZT 469.152358
LAK 22526.360075
LBP 89544.669699
LKR 335.119974
LRD 181.492291
LSL 16.393971
LTL 2.95274
LVL 0.60489
LYD 6.416015
MAD 9.361223
MDL 17.58916
MGA 4243.906287
MKD 53.962834
MMK 2099.538185
MNT 3585.774335
MOP 8.074027
MRU 39.895694
MUR 47.180274
MVR 15.460042
MWK 1733.93635
MXN 17.565125
MYR 4.0772
MZN 63.910288
NAD 16.394259
NGN 1376.510461
NIO 36.795674
NOK 9.77646
NPR 152.801662
NZD 1.753199
OMR 0.384507
PAB 0.999974
PEN 3.406711
PGK 4.396413
PHP 61.590947
PKR 277.971995
PLN 3.77045
PYG 6077.791169
QAR 3.635631
RON 4.582206
RSD 102.714485
RUB 76.800042
RWF 1470.379427
SAR 3.793621
SBD 8.097299
SCR 13.807021
SDG 600.498678
SEK 9.696835
SGD 1.293615
SHP 0.746601
SLE 24.374967
SLL 20969.503664
SOS 571.463631
SRD 37.605497
STD 20697.981008
STN 21.474745
SVC 8.750301
SYP 110.532098
SZL 16.402179
THB 33.445498
TJS 9.259464
TMT 3.51
TND 2.95659
TOP 2.40776
TRY 46.854901
TTD 6.791828
TWD 32.076801
TZS 2628.464983
UAH 44.491862
UGX 3694.532705
UYU 40.267339
UZS 12012.709543
VES 674.08685
VND 26295
VUV 119.800928
WST 2.768482
XAF 574.931854
XAG 0.017163
XAU 0.000246
XCD 2.70255
XCG 1.802126
XDR 0.715112
XOF 574.931854
XPF 104.531968
YER 237.05022
ZAR 16.38265
ZMK 9001.199005
ZMW 18.173771
ZWL 321.999592
  • RBGPF

    -6.6500

    61.5

    -10.81%

  • CMSC

    0.0300

    22.01

    +0.14%

  • GSK

    -0.8000

    52.52

    -1.52%

  • NGG

    0.4200

    83.53

    +0.5%

  • BCE

    0.0500

    21.45

    +0.23%

  • BCC

    -2.1100

    71.29

    -2.96%

  • BTI

    -0.4100

    61.39

    -0.67%

  • RELX

    -0.7600

    32.05

    -2.37%

  • RIO

    -2.4500

    88.8

    -2.76%

  • CMSD

    0.1600

    22.35

    +0.72%

  • RYCEF

    -0.4200

    19.01

    -2.21%

  • AZN

    -3.8400

    189.28

    -2.03%

  • BP

    0.6000

    39.21

    +1.53%

  • JRI

    -0.1000

    13

    -0.77%

  • VOD

    0.0400

    13.09

    +0.31%

Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst

Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst

An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.

Text size:

The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.

The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."

"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."

The committee said it had asked Citizen Lab for its report "to understand their concerns better."

Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.

"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.

"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."

The flaws affect SSL certificates, which allow online entities to communicate securely.

MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.

While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."

MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.

These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.

Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.

W.Matthews--TFWP