China’s Olympics App Is Horribly Insecure

China is mandating that athletes download and use a health and travel app when they attend the Winter Olympics next month. Citizen Lab examined the app and found it riddled with security holes.

Key Findings:

  • MY2022, an app mandated for use by all attendees of the 2022 Olympic Games in Beijing, has a simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped. Health customs forms which transmit passport details, demographic information, and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users.
  • MY2022 is fairly straightforward about the types of data it collects from users in its public-facing documents. However, as the app collects a range of highly sensitive medical information, it is unclear with whom or which organization(s) it shares this information.
  • MY2022 includes features that allow users to report “politically sensitive” content. The app also includes a censorship keyword list, which, while presently inactive, targets a variety of political topics including domestic issues such as Xinjiang and Tibet as well as references to Chinese government agencies.
  • While the vendor did not respond to our security disclosure, we find that the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection, providing potential avenues for future redress.

News article:

It’s not clear whether the security flaws were intentional or not, but the report speculated that proper encryption might interfere with some of China’s ubiquitous online surveillance tools, especially systems that allow local authorities to snoop on phones using public wireless networks or internet cafes. Still, the researchers added that the flaws were probably unintentional, because the government will already be receiving data from the app, so there wouldn’t be a need to intercept the data as it was being transferred.

[…]

The app also included a list of 2,422 political keywords, described within the code as “illegalwords.txt,” that worked as a keyword censorship list, according to Citizen Lab. The researchers said the list appeared to be a latent function that the app’s chat and file transfer function was not actively using.

The US government has already advised athletes to leave their personal phones and laptops home and bring burners.

Tags: , , , , , ,

Posted on January 21, 2022 at 6:06 AM12 Comments

Comments

Clive Robinson January 21, 2022 7:06 AM

@ ALL,

The US government has already advised athletes to leave their personal phones and laptops home and bring burners.

Sage advice to anyone traveling, even if it’s just around the US, remember there are few places that are not “border zoned” so they can be grabbed at any time…

Other countries have different legislation but the effect is the same, your electronics do not belong to you any longer they belong to them, be it physically or not and who ever “them” will be at any instant in time.

I question to ponder,

“How long before even techno freaks wise up and stop living their lives online?”

lurker January 21, 2022 3:05 PM

The problem seems to be the mandatory 14 days use before arrival. Because once in China it’s Game Over: who in China, apart from govt authorised agents, can MITM or server spoof? who in China trusts western Cert Auth? who, once inside China, would be dumb enough to connect to their home or work systems?

A serious threat to athletes and attendants would be a failure to supply knives and forks for dining, compelling all to use chopsticks…

JonKnowsNothing January 21, 2022 3:43 PM

@lurker

re: compelling all to use chopsticks

If one is making an all expenses paid by sponsor trip to China for the purpose of harvesting a teensy bit of possible colored smelted glomp or even just for the fun of a long plane ride with questionable air quality… it might behoove you to learn the local custom or at least try.

The presumption that

a) there won’t be culturally acceptable meal protocols
b) that everyone+dog eats with knife,fork or chopsticks

is a bit short sighted.

There are loads of ways to get from from hand to mouth, although some you might not want to do at a State Diplomatic Banquet.

In the USA we have an ex-Presidents who presented a Presidential Luncheon sans knife, fork or spoons, offering up a giant dog pile of lukewarm burgers to athletes. Such items are only edible if they are right off the grill, although those particular burgers are precooked and re-warmed, so taste was near-nil anyway.

We also have offer “southern fried chicken” on State Banquets to World VIPs. Nothing more amusing than tackling a deep fried breaded chicken drumstick with knife and fork.

And just to cover the bases: Every country and culture has their own eating protocol. In the USA it was (maybe still is) Emily Post. In France, it is definitely NOT Emily Post.

There’s many a faux pas ‘twixt the cup and the lip ….

David Leppik January 21, 2022 4:13 PM

Having a hard-coded list of censored words within the app has some interesting side effects. Most obviously, it provides a good look at what the Chinese government is concerned about. It also opens up some interesting hijinks. For example, if a team were to code-name an illegal performance-enhancing drug “Free Tibet”, that drug couldn’t be mentioned online.

Winter January 22, 2022 6:46 AM

@JonKnows
“And just to cover the bases: Every country and culture has their own eating protocol.”

A funny example: In the “Sound of Music” the uptight Von Traps eat the American way, with one fork and one hand under the table. That would have been unbelievably rude in German countries where children are drilled to have a knife and fork in hands at all times when eating solid food, and never ever have a hand under the table.

JonKnowsNothing January 22, 2022 12:29 PM

@Winter, @All

re:

J:   “And just to cover the bases: Every country and culture has their own eating protocol.”

W:   A funny example: In the “Sound of Music” the uptight Von Traps eat the American way, with one fork and one hand under the table. That would have been unbelievably rude in German countries where children are drilled to have a knife and fork in hands at all times when eating solid food, and never ever have a hand under the table.

I can attest that the same is/was true in France.

I was firmly explained that “Emily Post Best Manners” of one hand in lap, unless cutting food, swapping fork+knife to eat, are NOT best manners in France.

It did create some hilarity for the French, wondering how American’s ever finished a meal…

iirc(badly) It was explained that the custom of both hands on the table came from historical need to “see” where everyone’s hands were…

The French also wanted to know why a certain name was considered “funny, hilarious” in the USA. I didn’t know why, until they showed me the name, which I had never seen written out. Once I figured it out, I was rolling on the floor laughing with both hands on the table…

The French were also kind enough to teach me how to eat a raw fruit with knife and fork. (1)

Then there are the hilarious stories of eating with Asian friends… another set of Faux Pas: you need to know when and where to use chopsticks and when not to. It’s a lot like Dragon’s Toes.

===

1) My UK friends were never successful in teaching me to eat peas on an upside down fork without the honey to hold them there.

Johnson boys eat peas and honey,
They have done it all of their life.
Make the peas taste mighty funny,
But it keeps them on the knife,
But it keeps them on the knife.

Clive Robinson January 22, 2022 1:50 PM

@ JonKnowsNothing,

My UK friends were never successful in teaching me to eat peas on an upside down fork

It’s not that difficult…

The first least aproved way is to squash the peas onto the back of the fork using the knife.

The second is you first cut another piece of food onto the end of the fork, such that it makes a little shelf into which you press the peas into again with the knife.

Oh and do not push the food around the plate with your fork… It’s considered more than a bit gauche especially when you hear it against the plate…

Oh and do not ever ask about “fish knives” their purpose is not to cut at all but to lift out bones.

Oh spoons are ment for liquids not solids… So with a desert like a piece of pie, you cut with the spoon and spear with the fork. If you have custard or single cream you use the spoon to pour it onto the food when it is on the fork.

Oh and don’t eat the plate… I know it used to be traditional but “trenchers”[1] are as far as I am aware a thing of the past, and won’t be returning to “English” fine dinning unless it is multi-cultural such as pizza or similar from the Middle East and over to Asia.

[1] The “trencher” or bread crust plate is where the expression “trencherman” comes from, also where the expression “upper crust” came from. Basically bread did not in the past have the proteins to rise and hold. Also the ovens were not hot enough. The result was flatter bread with much harder crusts. More importantly the way a bread or pizza oven works is you light a wood fire inside of it for a couple of hours to heat the bricks and stone up. You then sweep out the ashes and put the bread dough directly on the stone block the ebtrance with a waftboard and cross your fingers. So whilst the “upper crust” was plesant to look at and eat the bottom generally had bits of ash in it… So the bottom was cut off and used to serve food on. If you were especially hungry and working men tended to be, then you would alow the crust to soften with the jucies from the food, which would also give it flavour. You could then eat the trencher and be a trencherman… The tradition still actually exists and is what true Yorkshire / Lancashire pudings are for. They are made large and served first with green vegtables and gravy in them. The aim is to fill you up so you only eat a little of the very expensive meat, oh and to discorage children eating meat as well the main course would start with potatoes and other root vegtables, only then moving onto the meat as again it was for the working men of the family.

ROT13 Cryptographer January 23, 2022 1:01 PM

“China’s Olympics App Is Horribly Insecure” = “China’s Olympics App Found Working As Designed”

ATN January 24, 2022 3:41 AM

The US government has already advised athletes to leave their personal phones and laptops home and bring burners.

In some (a lot of?) countries you cannot buy burners, simply not available for sale (probably for “internal security reasons”, like “protect the children”, detect the origin of FB hate speech…).

Clive Robinson January 24, 2022 10:37 AM

@ ATN, ALL,

In some (a lot of?) countries you cannot buy burners

Actually you can buy them everywhere…

The word “burner” is a little ambiguous, it actually means “disposable” but other people overload the meaning.

In this case of the US Gov means a disposable phone that you do nothing on it that can cause you problems now or in the future. They do not mean that it has to be “anonymous” as well. In fact if you think about it for a moment, the chances of an Olympic Athlete being able to get an anonymous phone into China would be hard enough, but to use it anonymously impossible for voice and nearly impossible for SMS. Also just turning it on more than once or twice will have it located to an individual Olympic Athlete not just because of the blanket electronic surveillence we know will be in place, but also as I found out years ago China likes to ensure “someone helpful is always by your elbow” and such people get very upset if you try to give them the slip.

However it is the “undercover” usage of “burner” you are thinking of where you obtain the phone and importantly the SIM anonymously.

Yes this is being made increasingly difficult, especially in countries where surveillance is not upto the point where it is not necessary because your position is known all the time. So the authorities can cross correlating a persons known location with a phone signal is quickly and easily accomplished.

It’s something people need to remember, that is ubiquitous surveillance with bio-metric recognition is becoming more and more prevelant and subject to “Collect it All” thinking. So tying this to the dog-lead in your pocket location device we call a phone will not be difficult. Which means no form of communications will be anonymous anymore as long as the start point and end point of a communication can be identified.

There are ways to stop this identification being possible but it needs a new type of thinking with regards infrastructure.

It’s something that @SpaceLifeForm and I discuss from time to time,

https://www.schneier.com/blog/archives/2022/01/uk-government-to-launch-pr-campaign-undermining-end-to-end-encryption.html/#comment-399029

https://www.schneier.com/blog/archives/2022/01/uk-government-to-launch-pr-campaign-undermining-end-to-end-encryption.html/#comment-399045

And I’ve discussed with others @Thoth, @Wael, @RobertT, @Nick P in the past. It also comes up almost every time Tor or MixNets come up, or even Traffic Analysis.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.