2022 Winter Olympics: Security Vulnerabilities in the MY2022 AppAll Olympics attendees are required to download the MY2022 app to track their health and other personal data, despite security concerns
This February should be a time of celebration in China. The opening ceremonies of the Olympic and Paralympic Winter Games is the day after the beginning of Lunar New Year. The Olympic Games commence two days later on February 4th. However, the Chinese government has put a damper on celebrations by continuing to pursue its “zero-Covid” strategy even though every other country has eased restrictions and begun transitioning from a “pandemic” to “endemic” mentality.
People in Beijing along with surrounding regions have become exasperated over the daily testing protocols and harsh measures that are in place to ensure the Chinese Communist Party can save face over its prior claims of having defeated the virus.
Among many of the issues plaguing the 2022 Olympics, several countries have diplomatically boycotted the games over human rights abuses in China’s northwest Xinjiang Uyghur Autonomous Region and the erosion of freedoms in Hong Kong. The disappearance and subsequent reappearance of tennis champion and former Olympic athlete, Peng Shuai, further galvanized groups calling for a boycott.
Additionally, Olympic sponsors such as Visa, Proctor & Gamble, and Coca-Cola as well as Delta Airlines, Bridgestone Corp, several others have had to navigate a minefield of criticism over their support of what some have dubbed the “Genocide Games,” a reprise of a slogan used during the 2008 Summer Olympic Games for China’s role in the Darfur genocide.
Despite these setbacks, Beijing organizers insist the games will be a success. “The world is turning its eyes to China,” President Xi Jinping said during an inspection tour last week. “And China is ready.”
In the lead up to the opening ceremonies, we’ll look at how China’s techno-authoritarianism (or, as some have argued, neo-totalitarianism) is on display at the 2022 Winter Olympics.
Like the 2020 Tokyo Summer Olympics (held in 2021), there will be no spectators. Only select dignitaries and officials can attend. Athletes, journalists, and trainers must remain within a closed-loop bubble of transportation to-and-from the hotels and competition. Additionally, everyone attending the Olympic Games must download the MY2022 app to their cell phones.
The MY2022 Olympics App’s Failure to Validate SSL Certificates
According to Citizen Lab, a cybersecurity group at the University of Toronto, MY2022 has security flaws that would result in the app breaking China’s own data privacy laws as well as data privacy requirements for the Google Play and Apple App stores. The app also has a censorship list, which is common for Chinese apps with a chat function, and a place to report someone who has said something that is politically sensitive. The censorship list is inactive but could be turned on with “the flick of a switch” according to the Citizen Lab report author Jeffrey Knockel.
Citizen Lab’s report entitled “Cross-Country Exposure” outlines the MY2022 app’s security problems. According to the report,
MY2022, an app mandated for use by all attendees of the 2022 Olympic Games in Beijing, has a simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped. Health customs forms which transmit passport details, demographic information, and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users.Jeffrey Knockel, “Cross-Country Exposure” at Citizen Lab
Among the app’s features, is a health profile that functions similarly to China’s health code apps. People traveling abroad are encouraged to download the app fourteen days prior to arrival and upload their health visa information, passport information, and other personal data metrics. The user’s health data is sent to the Beijing 2022 Organizing Committee.
But Citizen Lab found that the app did not verify the signature of several of the servers where encrypted data were being sent. It also found the app did not encrypt metadata from chat messages.
The first problem is due to the app failing to verify the SSL certificate of the server that is receiving data. SSL protocols serve two security functions: encryption of data that is being sent over a Wi-Fi network and validation of the server that is receiving the data. Without the validation step, user data is exposed to malicious actors.
Jeffrey Knockel, author of the Citizen Lab report, told the New York Times, “All the information you are transmitting can be intercepted, particularly if you are on an untrusted network like a coffee shop or hotel Wi-Fi service.”
A third party can intervene in the data transfer process by spoofing the intended server. This leaves users vulnerable to identity theft or data manipulation. Additionally, the user may receive faulty or harmful instructions that they thought came from a trusted server. Among the servers that the app does not validate is “health.customsapp.com,” which receives personal demographic, location, and medical information sent in a customs health declaration.
The MY2022 App’s Failure to Encrypt Direct Messages
The second security problem with the My2022 app is its failure to encrypt data from the messaging features. This data is sent between users without any SSL encryption. According to the report:
We found that MY2022 transmits non-encrypted data to “tmail.beijing2022.cn” on port 8099. These transmissions contain sensitive metadata relating to messages, including the names of messages’ senders and receivers and their user account identifiers. Such data can be read by any passive eavesdropper, such as someone in range of an unsecured wifi access point, someone operating a wifi hotspot, or an Internet Service Provider or other telecommunications company.Jeffrey Knockel, “Cross-Country Exposure” at Citizen Lab
In other words, if someone is on the same hotel Wi-Fi as you are, they can see who you were messaging and when you messaged them.
The MY2022 App Vulnerabilities Were Not Fixed
Citizen Lab speculates that these vulnerabilities were probably not part of a national government conspiracy since all the information is being sent to the government anyway. But these vulnerabilities do allow the app to work in those local businesses or public Wi-Fi networks that require users to download a local SSL certificate. Some locations do this so it can intercept data before the data goes to the intended server, a practice that is apparently more common in China where local businesses, universities, and other entities are responsible for policing content on their networks.
Citizen Lab said it disclosed the app’s vulnerabilities to the Beijing Organizing Committee on December 3, 2021 and gave it 15 days to respond and 45 days to fix the issues or they would publicly disclose their findings. While Citizen Lab has not received a response, on January 17 the app’s developer released an updated version of the MY2022 app that still did not fix the issues.
In a second article, we will look at the MY2022’s surveillance features and why several countries are telling their athletes to take burner phones.