Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
RBGPF
-13.5000
The China Mail - Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
USD
-
AED 3.67315
AFN 63.503991
ALL 83.375041
AMD 377.180403
ANG 1.790083
AOA 917.000367
ARS 1383.990604
AUD 1.452433
AWG 1.8
AZN 1.70397
BAM 1.69972
BBD 2.014322
BDT 122.712716
BGN 1.709309
BHD 0.377349
BIF 2968.5
BMD 1
BND 1.28787
BOB 6.936019
BRL 5.255304
BSD 1.000117
BTN 94.794201
BWP 13.787919
BYN 2.976987
BYR 19600
BZD 2.011341
CAD 1.38995
CDF 2282.50392
CHF 0.798523
CLF 0.023433
CLP 925.260396
CNY 6.91185
CNH 6.92017
COP 3680.29
CRC 464.427092
CUC 1
CUP 26.5
CVE 96.12504
CZK 21.309304
DJF 177.720393
DKK 6.492704
DOP 59.72504
DZD 133.275765
EGP 52.642155
ERN 15
ETB 156.62504
EUR 0.866104
FJD 2.260391
FKP 0.75231
GBP 0.75375
GEL 2.680391
GGP 0.75231
GHS 10.97039
GIP 0.75231
GMD 73.503851
GNF 8780.000355
GTQ 7.653901
GYD 209.354875
HKD 7.82605
HNL 26.510388
HRK 6.545204
HTG 131.099243
HUF 338.020388
IDR 16990.8
ILS 3.13762
IMP 0.75231
INR 94.864204
IQD 1310
IRR 1313250.000352
ISK 124.760386
JEP 0.75231
JMD 157.422697
JOD 0.70904
JPY 160.29904
KES 129.903801
KGS 87.450384
KHR 4012.00035
KMF 428.00035
KPW 899.886996
KRW 1508.00035
KWD 0.30791
KYD 0.833446
KZT 483.490125
LAK 21900.000349
LBP 89550.000349
LKR 315.037957
LRD 183.625039
LSL 17.160381
LTL 2.95274
LVL 0.60489
LYD 6.375039
MAD 9.344504
MDL 17.566669
MGA 4175.000347
MKD 53.384435
MMK 2102.490525
MNT 3571.507434
MOP 8.069509
MRU 40.120379
MUR 46.770378
MVR 15.450378
MWK 1737.000345
MXN 18.121104
MYR 3.924039
MZN 63.950377
NAD 17.160377
NGN 1383.460377
NIO 36.720377
NOK 9.70286
NPR 151.667079
NZD 1.740645
OMR 0.385081
PAB 1.000109
PEN 3.459504
PGK 4.309039
PHP 60.550375
PKR 279.203701
PLN 3.72275
PYG 6538.855961
QAR 3.65325
RON 4.427304
RSD 101.818038
RUB 81.419514
RWF 1461
SAR 3.752351
SBD 8.042037
SCR 14.429246
SDG 601.000339
SEK 9.47367
SGD 1.292804
SHP 0.750259
SLE 24.550371
SLL 20969.510825
SOS 571.503662
SRD 37.601038
STD 20697.981008
STN 21.35
SVC 8.75063
SYP 111.824334
SZL 17.160369
THB 32.860369
TJS 9.556069
TMT 3.5
TND 2.926038
TOP 2.40776
TRY 44.433404
TTD 6.795201
TWD 32.044404
TZS 2576.487038
UAH 43.837189
UGX 3725.687866
UYU 40.481115
UZS 12205.000334
VES 467.928355
VND 26337.5
VUV 119.756335
WST 2.77551
XAF 570.070221
XAG 0.014291
XAU 0.000222
XCD 2.70255
XCG 1.802452
XDR 0.706792
XOF 568.000332
XPF 104.103591
YER 238.603589
ZAR 17.119995
ZMK 9001.203584
ZMW 18.826586
ZWL 321.999592
- Sweet heist? Nestle says 12 tonnes of KitKat stolen
- Pope denounces widening gap between the rich and poor on Monaco visit
- Yemen's Houthi enter war with missile targeting Israel
- USS Gerald Ford arrives in Croatia for maintenance
- Antonelli leads Mercedes 1-2 as Verstappen suffers qualifying shock
- Verstappen calls his Red Bull 'undriveable' after more woes
- Antonelli takes pole for Japanese Grand Prix in Mercedes 1-2
- Millions angry with Trump expected to fill American streets
- Attacks across Middle East as Iran war enters second month
- Late surge lifts Thunder, Celtics rally to down Hawks
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
O.Tse--ThChM
