Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
SCS
0.0200
The China Mail - Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
USD
-
AED 3.672503
AFN 66.000343
ALL 81.750787
AMD 378.260319
ANG 1.79008
AOA 917.000119
ARS 1447.7807
AUD 1.429327
AWG 1.80125
AZN 1.695576
BAM 1.65515
BBD 2.013067
BDT 122.134821
BGN 1.67937
BHD 0.37701
BIF 2960
BMD 1
BND 1.271532
BOB 6.906503
BRL 5.2395
BSD 0.999467
BTN 90.452257
BWP 13.162215
BYN 2.854157
BYR 19600
BZD 2.010138
CAD 1.366615
CDF 2225.000441
CHF 0.777305
CLF 0.021735
CLP 858.210238
CNY 6.938199
CNH 6.93926
COP 3628.58
CRC 495.478914
CUC 1
CUP 26.5
CVE 93.31088
CZK 20.654396
DJF 177.720153
DKK 6.328325
DOP 62.700992
DZD 129.716681
EGP 46.898171
ERN 15
ETB 154.846992
EUR 0.84738
FJD 2.20515
FKP 0.729917
GBP 0.73281
GEL 2.695017
GGP 0.729917
GHS 10.974578
GIP 0.729917
GMD 72.999681
GNF 8771.298855
GTQ 7.666172
GYD 209.107681
HKD 7.812425
HNL 26.40652
HRK 6.385502
HTG 131.004367
HUF 321.707506
IDR 16807
ILS 3.094805
IMP 0.729917
INR 90.44185
IQD 1309.366643
IRR 42125.000158
ISK 122.698337
JEP 0.729917
JMD 156.730659
JOD 0.709031
JPY 156.945499
KES 128.949615
KGS 87.449748
KHR 4034.223621
KMF 418.00016
KPW 899.945137
KRW 1461.704465
KWD 0.30733
KYD 0.83291
KZT 496.518171
LAK 21498.933685
LBP 89504.332961
LKR 309.337937
LRD 185.901857
LSL 15.973208
LTL 2.95274
LVL 0.604889
LYD 6.316351
MAD 9.162679
MDL 16.911242
MGA 4427.744491
MKD 52.212764
MMK 2099.936125
MNT 3569.846682
MOP 8.043143
MRU 39.687396
MUR 45.879676
MVR 15.450132
MWK 1732.791809
MXN 17.32615
MYR 3.935502
MZN 63.749926
NAD 15.973816
NGN 1368.559885
NIO 36.779547
NOK 9.67647
NPR 144.74967
NZD 1.666655
OMR 0.384458
PAB 0.999458
PEN 3.359892
PGK 4.282021
PHP 58.951022
PKR 279.546749
PLN 3.57428
PYG 6615.13009
QAR 3.645472
RON 4.317499
RSD 99.475027
RUB 76.246155
RWF 1458.735317
SAR 3.75002
SBD 8.058101
SCR 13.714455
SDG 601.498038
SEK 8.989675
SGD 1.27291
SHP 0.750259
SLE 24.474968
SLL 20969.499267
SOS 570.224434
SRD 37.894053
STD 20697.981008
STN 20.734071
SVC 8.745065
SYP 11059.574895
SZL 15.972716
THB 31.719961
TJS 9.340239
TMT 3.51
TND 2.890703
TOP 2.40776
TRY 43.529499
TTD 6.770395
TWD 31.672103
TZS 2580.289652
UAH 43.116413
UGX 3558.598395
UYU 38.520938
UZS 12251.99609
VES 371.640565
VND 25982
VUV 119.556789
WST 2.72617
XAF 555.124234
XAG 0.011178
XAU 0.0002
XCD 2.70255
XCG 1.80131
XDR 0.68948
XOF 555.135979
XPF 100.927097
YER 238.374961
ZAR 16.080355
ZMK 9001.194249
ZMW 19.565181
ZWL 321.999592
- Countries using internet blackouts to boost censorship: Proton
- Top US news anchor pleads with kidnappers for mom's life
- Thailand's pilot PM on course to keep top job
- The coming end of ISS, symbol of an era of global cooperation
- New crew set to launch for ISS after medical evacuation
- Family affair: Thailand waning dynasty still election kingmaker
- Japan's first woman PM tipped for thumping election win
- Stocks in retreat as traders reconsider tech investment
- LA officials call for Olympic chief to resign over Epstein file emails
- Ukraine, Russia, US to start second day of war talks
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
O.Tse--ThChM
