Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
RBGPF
0.0000
The China Mail - Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
USD
-
AED 3.672503
AFN 66.135424
ALL 82.428003
AMD 381.697608
ANG 1.790403
AOA 916.99991
ARS 1440.749705
AUD 1.503884
AWG 1.8
AZN 1.695633
BAM 1.6671
BBD 2.013298
BDT 122.155689
BGN 1.666729
BHD 0.37704
BIF 2954.536737
BMD 1
BND 1.290974
BOB 6.906898
BRL 5.418997
BSD 0.999616
BTN 90.396959
BWP 13.244683
BYN 2.94679
BYR 19600
BZD 2.010374
CAD 1.375845
CDF 2239.999751
CHF 0.7968
CLF 0.023286
CLP 913.533153
CNY 7.054497
CNH 7.04352
COP 3801.6
CRC 500.023441
CUC 1
CUP 26.5
CVE 93.988535
CZK 20.699198
DJF 178.007927
DKK 6.363215
DOP 63.547132
DZD 129.780206
EGP 47.493298
ERN 15
ETB 156.189388
EUR 0.85187
FJD 2.25435
FKP 0.748248
GBP 0.74755
GEL 2.705187
GGP 0.748248
GHS 11.474844
GIP 0.748248
GMD 72.99995
GNF 8692.206077
GTQ 7.656114
GYD 209.124811
HKD 7.78205
HNL 26.31718
HRK 6.416103
HTG 131.023872
HUF 328.512999
IDR 16668.65
ILS 3.21232
IMP 0.748248
INR 90.70575
IQD 1309.438063
IRR 42122.504313
ISK 126.420199
JEP 0.748248
JMD 160.047735
JOD 0.70904
JPY 155.011502
KES 128.939772
KGS 87.450268
KHR 4002.062831
KMF 419.504268
KPW 899.999687
KRW 1468.410058
KWD 0.30675
KYD 0.833039
KZT 521.320349
LAK 21670.253798
LBP 89512.817781
LKR 308.871226
LRD 176.427969
LSL 16.864406
LTL 2.95274
LVL 0.60489
LYD 5.429826
MAD 9.19607
MDL 16.897807
MGA 4428.248732
MKD 52.464466
MMK 2099.265884
MNT 3545.865278
MOP 8.015428
MRU 40.004433
MUR 45.949857
MVR 15.393384
MWK 1733.36743
MXN 17.98691
MYR 4.091041
MZN 63.910239
NAD 16.864406
NGN 1451.300575
NIO 36.789996
NOK 10.11813
NPR 144.638557
NZD 1.729675
OMR 0.384623
PAB 0.999595
PEN 3.365397
PGK 4.308177
PHP 58.944956
PKR 280.140733
PLN 3.594685
PYG 6714.401398
QAR 3.643004
RON 4.337404
RSD 99.989023
RUB 79.247954
RWF 1454.886417
SAR 3.752195
SBD 8.176752
SCR 14.660587
SDG 601.495018
SEK 9.28529
SGD 1.28932
SHP 0.750259
SLE 24.124989
SLL 20969.503664
SOS 570.259558
SRD 38.547997
STD 20697.981008
STN 20.880385
SVC 8.746351
SYP 11056.681827
SZL 16.85874
THB 31.456502
TJS 9.186183
TMT 3.51
TND 2.922143
TOP 2.40776
TRY 42.703997
TTD 6.783302
TWD 31.315004
TZS 2482.501438
UAH 42.236116
UGX 3552.752147
UYU 39.226383
UZS 12042.534149
VES 267.43975
VND 26322.5
VUV 121.127634
WST 2.775483
XAF 559.141627
XAG 0.015672
XAU 0.00023
XCD 2.70255
XCG 1.801522
XDR 0.695393
XOF 559.141627
XPF 101.655763
YER 238.496843
ZAR 16.84955
ZMK 9001.205474
ZMW 23.065809
ZWL 321.999592
- Louvre Museum closed as workers strike
- Spain fines Airbnb 64 mn euros for posting banned properties
- Japan's only two pandas to be sent back to China
- Zelensky, US envoys to push on with Ukraine talks in Berlin
- Hong Kong media mogul Jimmy Lai convicted of national security charges
- Australia to toughen gun laws after deadly Bondi shootings
- Lyon poised to bounce back after surprise Brisbane omission
- Australia defends record on antisemitism after Bondi Beach attack
- US police probe deaths of director Rob Reiner, wife as 'apparent homicide'
- 'Terrified' Sydney man misidentified as Bondi shooter
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
O.Tse--ThChM
