Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
RBGPF
3.5000
Zürcher Nachrichten - Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
EUR
-
AED 4.100113
AFN 77.023391
ALL 99.447336
AMD 432.838798
ANG 2.014767
AOA 1036.468947
ARS 1074.711254
AUD 1.636359
AWG 2.00931
AZN 1.92827
BAM 1.957305
BBD 2.257155
BDT 133.59389
BGN 1.965384
BHD 0.42068
BIF 3230.523246
BMD 1.116283
BND 1.443523
BOB 7.725007
BRL 6.061866
BSD 1.117969
BTN 93.496501
BWP 14.707659
BYN 3.658545
BYR 21879.148453
BZD 2.253342
CAD 1.512678
CDF 3204.849171
CHF 0.945843
CLF 0.037658
CLP 1039.103456
CNY 7.8899
CNH 7.892758
COP 4648.481834
CRC 579.080293
CUC 1.116283
CUP 29.581502
CVE 110.791537
CZK 25.09505
DJF 198.385833
DKK 7.459342
DOP 67.201269
DZD 147.957368
EGP 54.174306
ERN 16.744246
ETB 128.657351
FJD 2.453423
FKP 0.850115
GBP 0.840299
GEL 3.047465
GGP 0.850115
GHS 17.524653
GIP 0.850115
GMD 76.468857
GNF 9658.645645
GTQ 8.64172
GYD 233.81355
HKD 8.700707
HNL 27.731566
HRK 7.589621
HTG 147.324568
HUF 394.065769
IDR 16940.712088
ILS 4.213405
IMP 0.850115
INR 93.347554
IQD 1462.33084
IRR 46987.14472
ISK 152.305694
JEP 0.850115
JMD 175.63501
JOD 0.791107
JPY 159.436514
KES 144.00081
KGS 94.074773
KHR 4543.271796
KMF 492.672047
KPW 1004.654143
KRW 1482.736164
KWD 0.3404
KYD 0.931512
KZT 535.361582
LAK 24653.111884
LBP 100018.964577
LKR 340.294632
LRD 216.83831
LSL 19.529721
LTL 3.296094
LVL 0.675228
LYD 5.325093
MAD 10.841334
MDL 19.50581
MGA 5036.894411
MKD 61.664335
MMK 3625.643914
MNT 3793.12987
MOP 8.973393
MRU 44.333165
MUR 51.204203
MVR 17.14598
MWK 1937.867679
MXN 21.522362
MYR 4.699547
MZN 71.274774
NAD 19.535528
NGN 1831.060868
NIO 41.137015
NOK 11.702609
NPR 149.612347
NZD 1.786209
OMR 0.429724
PAB 1.117969
PEN 4.180462
PGK 4.438412
PHP 62.045802
PKR 310.92129
PLN 4.272947
PYG 8726.786438
QAR 4.075633
RON 4.974608
RSD 117.069099
RUB 102.892984
RWF 1505.388617
SAR 4.18887
SBD 9.288327
SCR 15.203375
SDG 671.44267
SEK 11.337749
SGD 1.441813
SHP 0.850115
SLE 25.504058
SLL 23407.892397
SOS 638.896842
SRD 33.324404
STD 23104.806079
SVC 9.781519
SYP 2804.694667
SZL 19.535619
THB 37.004871
TJS 11.882003
TMT 3.906991
TND 3.375641
TOP 2.623048
TRY 37.953999
TTD 7.59799
TWD 35.642385
TZS 3041.24574
UAH 46.326211
UGX 4151.228228
USD 1.116283
UYU 45.925303
UZS 14242.075436
VEF 4043794.116249
VES 40.994414
VND 27438.238213
VUV 132.52737
WST 3.12276
XAF 656.485163
XAG 0.03591
XAU 0.000431
XCD 3.016811
XDR 0.828544
XOF 656.461621
XPF 119.331742
YER 279.433556
ZAR 19.537637
ZMK 10047.88601
ZMW 29.093234
ZWL 359.442698
- Head's 'good night at office' after century seals win over England
- After court order, X goes offline again in Brazil
- Dubois seeks legitimacy with Joshua scalp
- Rate cut could lift consumer spirits before US elections
- Last-gasp Gimenez strike sends Atletico past Leipzig
- Barca stumble at Monaco after early red card
- Raya heroics save Arsenal in Champions League opener at Atalanta
- Cathay Airbus engine fire linked to cleaning: EU regulator
- Guardians beat Twins to secure MLB playoff berth
- Jihadist attack in Mali capital killed more than 70: security sources
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
O.Pereira--NZN
