A health-monitoring app for Olympic attendees reportedly has glaring security issues
Researchers said passport details, voice audio and other data are vulnerable in the MY2022 app.
Just over two weeks before the 2022 Winter Olympics are set to get underway in Beijing, researchers have issued a report claiming that an app many attendees are using has major security issues. The Citizen Lab, a research facility based at the University of Toronto's Munk School of Global Affairs and Public Policy, said a "simple but devastating flaw" made it easy to bypass encryption systems that are supposed to protect voice audio and file transfers.
"The worst case scenario is that someone is intercepting all the traffic and recording all the passport details, all the medical details," research associate Jeffrey Knockel told CTV.
The app is used for health monitoring as part of COVID-19 countermeasures. Other features include messaging, news about the Games and information about logistics. The International Olympic Committee says the local Beijing 2022 workforce is using the app for things like time-keeping and task management too.
"The IOC has conducted independent third-party assessments on the application from two cyber-security testing organizations," the IOC told Engadget in a statement. "These reports confirmed that there are no critical vulnerabilities." The IOC noted that instead of using the mobile app, attendees can access a web-based health monitoring system. It said it has requested the researchers' report "to understand their concerns better."
The Citizen Lab notes that health customs forms containing passport information and travel and medical history are also at risk. In addition, the researchers said it was possible to spoof server responses, which could let hackers provide fake instructions to users.
Along with determining that the app doesn't encrypt some data transmissions, the team found that the app fails to validate some SSL certificates. In such cases, the app can't "validate to whom it is sending sensitive, encrypted data." Although they were only able to create an account on the iOS app, the researchers believe the vulnerabilities exist on the Android version of MY2022 as well.
The Citizen Lab said it informed the organizing committee for the Games about the issues on December 3rd, and said it had 15 days to respond and 45 days to fix the issues before it published its findings. As of Tuesday, the researchers hadn't received a reply.
An updated iOS version of the app that was released on Sunday didn't solve the problems. According to the researchers, the developers added a feature called “Green Health Code” that asks for more travel and medical history details, which are also vulnerable to the SSL certification issue.
According to the researchers, the flaws could mean that the app contravenes Apple's App Store rules and Google’s Unwanted Software Policy. In addition, MY2022 may be violating China's privacy standards and laws.
In addition, The Citizen Lab noted that the app includes an option to report “politically sensitive” content. It has a list of 2,442 censorship keywords too, which is said to be inactive at the minute, but includes terms related to topics like Xinjiang, Tibet, Chinese government agencies and other socially sensitive matters.