A new report by Citizen Lab discovered a flaw in a mandatory app’s encryption, as experts and officials call to use burner phones

Koki Kataoka / The Yomiuri Shimbun via Reuters

An app developed specifically for the upcoming Beijing Winter Olympics, mandated for use by all attendees (athletes and others), has a “simple but devastating flaw” in its voice audio and file transfer encryption. This, according to new report published yesterday (Tuesday) by Citizen Lab.

Built by the Beijing Organizational Committee, this app, called MY2022, is multi-purpose and implements a wide range of functionality such as chats, file transfers, news updates and more. It collects sensitive information such as passport details, demographic information, medical and travel history, as well as updated health information – all of which, according to the report, are also vulnerable.

Given the current political and humanitarian situation in China, the 2022 Winter Olympics, set to take place between February 4th and 20th, are highly controversial as it is. Hundreds of human rights groups have called for a boycott, and the governments of the US, Canada, the UK, Denmark and others have declared a diplomatic boycott, meaning they will send athletes to compete, but no government delegates.

The report notes that MY2022 also includes features that allow users to report “politically sensitive content” as well as a censorship keyword list relating to various topics, from Xinjiang and Tibet to Falun Gong and the Tiananmen Movement.

The censorship feature is currently inactive and the researchers hypothesize as to why that is, suggesting it might be a flaw, or perhaps something intentional “in a bid to hide the extent of China’s censorship regime from outsiders.”

Another question raised by the researchers is whether the vulnerabilities they discovered intentionally placed for surveillance purposes, or whether they were “born of developer negligence”.

The study also notes that the app’s security deficits may be in violation of Google and Apple’s security policies, and mentions that the security issues at hand were disclosed to the Beijing Organizing Committee on December 3rd, 2021 – but that now response has yet been received.

As of yet, the International Olympic Committee has not officially reacted to this report. In a statement to DW, it said that “The ‘MY2022 application in an important tool in the tool box of the COVID-19 countermeasures,” and that it “supports the function for health monitoring.”

Cybersecurity company recommends using burner phones during Olympics

Purchasing burner phones to be used only during the stay in China, creating new email addresses and browser accounts to use on the phones, and not using these devices or accounts again after leaving the country – these are a few recommendations published by Australian cybersecurity company Internet 2.0, in order to “mitigate the risk of sensitive information and personal data being collected on personal phones” during the upcoming Winter Olympics.

These recommendations are part of a new report by the company, titled “Digital Surveillance in China”. The researchers discuss the national security legislation all companies operating in China are compelled to follow. “All athletes and visitors to China for the Olympics will be exposed to such laws and surveillance culture,” they write.

Several countries have already recommended that Olympics athletes and attendees leave their phones at home and use burner ones, citing surveillance concerns. The Dutch Olympic Committee said that it “anticipates Chinese surveillance” during the games, as reported by de Volkskrant. Last week, the Guardian reported that the British Olympic Association will offer temporary phones to Team GB athletes and staff.

“We’ve reminded all Team Canada members that the Olympic Games present a unique opportunity for cybercrime,” the Canadian Olympic Committee said in a statement, and recommended considering leaving personal devices at home and practicing “good cyber-hygiene at all times.”

Last week, USA Today reported that Team USA distributed a technology advisory, stating that rental or disposable computers and burner phones are encouraged for members of its delegation, citing threats of “malicious intrusion, infection and data compromise.”