Exclusive: How the Beijing 2022 app leaves Olympians at risk
January 18, 2022Athletes headed to the Beijing Olympic Winter Games are making final travel preparations, including keeping in line with China's health measures on the My 2022 smartphone app.
Inadequate encryption measures within the app can leave Olympians, journalists and sports officials vulnerable to hackers, privacy breaches and surveillance, according to a cybersecurity report by Citizen Lab obtained exclusively by DW.
Additionally, the IT forensic specialists found that the app includes a censorship keyword list.
The findings come as international concern over digital safety at the games mounts. Germany, Australia, UK and US have urged their athletes and National Olympic Committees to leave their personal phones and laptops behind and to travel with special devices over fears of digital espionage.
The Dutch Olympic Committee outright banned its athletes from bringing personal phones and laptops because of surveillance concerns.
My 2022 app for contact tracing and much more
The Winter Games, which kick off on February 4, mark the second Olympic Games during the coronavirus pandemic. Just as at the Tokyo Summer Games, tracking athletes' health is required.
According to the official Playbook of the International Olympic Committee (IOC), athletes, coaches, reporters and sports officials, as well as thousands of local staff, are required to put their information into either the My 2022 smartphone app or website. The app, which was developed in China, is designed to monitor the health of all attendees and staff as well as trace possible COVID-19 infections.
Passport data and flight information must be entered into the app. Sensitive medical information related to possible COVID-19 symptoms are also required, such as whether a person had a fever, fatigue, headaches, a dry cough, diarrhea or a sore throat. Those coming from abroad must start entering health data 14 days before arriving in the country.
Many countries use contact tracing apps to help slow the spread. But My 2022 combines contact tracing with other services: It regulates access to events, acts as a visitor's guide with information on sporting venues and tourist services, as well as providing chat functions (text and audio), news feeds and file transfers.
The description in the Apple app store says My 2022 "provides customized service for different user groups to enjoy an all-round Games experience with one App."
Insecure data transmission
Citizen Lab, which conducts research on digital security at the University of Toronto's Munk School of Global Affairs and was involved in exposing Pegasus spyware, examined the app and found that it is vulnerable to electronic theft.
The app's SSL certificates — which are supposed to ensure that data traffic is only exchanged between trustworthy devices and servers — are not validated, meaning that the app has a serious encryption vulnerability. As a result, the app could be deceived into connecting with a malicious host, allowing information to be intercepted or even malicious data to be sent back to the app.
Citizen Lab researcher Jeffrey Knockel says he found the vulnerability not only regarding health data, but also with other important services in the app. This includes the app service that processes all file attachments as well as transmitted voice audio.
The expert says he also discovered that for some services, data traffic in the app is not encrypted at all. This means that the metadata of the app's own chat service can easily be read by hackers.
"Our findings expose how My2022's security measures are wholly insufficient to prevent sensitive data from being disclosed to unauthorized third parties," Knockel states in the report.
The International Olympic Committee, in a written statement to DW following the report's release, said two independent cybersecurity firms had tested the app and found there were "no critical vulnerabilities." The committee added it has requested Citizen Lab's report to "understand their concerns better."
Censorship? Banned terms pose questions
Citizen Lab researchers also found a text file in the app called "illegalwords.txt." It contains 2,442 keywords and phrases, is mainly written in simplified Chinese (which is used in the People's Republic of China) — but a small portion of the words are also in Uyghur, Tibetan, traditional Chinese (used in Hong Kong and Taiwan) and English.
Among the many keywords are some profanities, but also expressions that reference politically taboo topics in China, which are censored by the state, including criticism of the Chinese Communist Party and its leaders, as well as keywords related to Falun Gong, the Tiananmen protests, the Dalai Lama and the Uyghur Muslim minority in China's Xinjiang region. One example on the list, which Citizen Lab reviewed, is the term "Holy Quran" in the Uyghur language.
Citizen Lab, which has significant expertise in app-security analysis, says there was no indication in the current version of the app that this keyword list is being actively used for censorship. It was not immediately clear why the keyword list is present in the app. But researcher Knockel says, "Even though 'illegalwords.txt' isn't being used currently, My2022 already contains code functions which are capable of reading this file and applying it toward censorship, so activating the list's censorship would require little effort."
The app also contains a reporting function that allows users to report other users if they consider a chat message to be dangerous or dubious. Among the possible reasons for reporting is the option "politically sensitive content," a phrase that is typically used in China to describe censored topics.
No response from Beijing Organizing Committee: Citizen Lab
The watchdog says that it confidentially disclosed the findings to the Beijing Organizing Committee for the 2022 Olympics in early December. In doing so, as is customary when reporting security vulnerabilities, Citizen Lab asked the Beijing Olympic organizers to fix the issues within 45 days before the cybersecurity institute would publicly disclose its findings.
"The Organizing Committee has not responded to our disclosure," Knockel told DW.
In the meantime, updates to the app have been published in the Apple and Google app stores. An audit by Citizen Lab's cybersecurity experts on January 17 found that no changes were made to address the concerns raised over security vulnerabilities and the list of "illegal words."
'Violation' of laws and policies?
In the Olympic Playbook for athletes and team officials, the International Olympic Committee states that the My 2022 app is "in accordance with international standards and Chinese law."
But based on its findings, Citizen Lab concludes that the insecure transmission of personal information "may constitute a direct violation of China's privacy laws." This is because China's data protection laws require that a person's health and medical records held digitally be transmitted and stored in an encrypted manner.
Citizen Lab's findings also raise questions concerning two Western tech giants that carry the My 2022 app: Apple and Google.
"Both Apple's and Google's policies forbid apps to transmit sensitive data without proper encryption, so Apple and Google will need to determine whether the app's unresolved vulnerabilities warrant delisting," Citizen Lab's Knockel told DW.
DW has reached out to Google and Apple for comment.
The Beijing Organizing Committee has stood by its app, however, saying it "passed the examination" of international mobile application markets such as Google, Apple and Samsung."We have taken measures such as personal information encryption in the app to ensure privacy security," the committee said Monday to Xinhua News Agency.
Editor's note: Following the report's release, DW has sent a request for comment to Apple and Google. This article was also updated to reflect the International Olympic Committee's response after publication.
Edited by: Kristin Zeier