Beijing Olympics: A study points to security vulnerabilities in official use

Citizen Lab, a Canadian research laboratory, has identified a number of security vulnerabilities in the application that should be used by all participants in the Beijing Winter Olympics, according to a study released Tuesday.

Two major drawbacks

According to Citizen Lab, Beijing’s subsidiary Beijing Financial Holdings Group (PFHG)’s MO2022 application, developed and managed for games starting February 4, has two major drawbacks. . “China is known for undermining cryptographic technologies to implement political censorship and surveillance,” said study author Jeffrey Knuckle. “Therefore, it is reasonable to assume that the data encryption of this application was not intentionally corrupted for monitoring purposes or as a result of the negligence of the developers.”

The first drawback is related to so-called SSL certificates, which allow two companies to communicate securely online. According to Citizen Labs, a Canadian university affiliated with the University of Toronto, MY2022 does not recognize SSL certificates submitted to it, meaning unauthorized companies can access application data.

The second drawback is that some information is usually sent to SSL certificates without proper encryption, making them more vulnerable to hijacking. For overseas users of the site, personal data such as passport number, organization and country of birth, vaccine status and Govt-19 test results are collected.

Citizen Lab pointed out the deficiencies to Chinese authorities in early December and asked them to respond within 15 days and fix them within 45 days. But at the end of the deadline set by the lab, Beijing did not respond to this request. .

The Olympic Committee has no “significant implications”

In response to the report’s release, the International Olympic Committee (IOC) told AFP that two special cybersecurity agencies requested by the IOC had tested the application and that their results indicated that there were no “significant vulnerabilities” in the application.

The IOC emphasizes that downloading MY2022, which can be viewed from the Games page, is not mandatory. “MY2022 is an important tool in the arsenal of anti-Govt operations,” the panel argued, adding that it was “designed to ensure the health and safety of those in the bubble.”

Citizen Lab also identified a file called “illegalwords.txt” (illegal words) during its work, many of which were “politically sensitive”, according to the study. We especially see the words “CCP evil” (CCP and “evil” for the Chinese Communist Party) or Xi Jinping from the name of the Chinese president. Citizen Lab has stated that if there are code lines in use to audit these terms, they will not be implemented as they are.