Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
RBGPF
-0.9400
Zürcher Nachrichten - Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
EUR
-
AED 3.879454
AFN 71.766172
ALL 98.446538
AMD 408.727287
ANG 1.903424
AOA 962.189651
ARS 1055.136057
AUD 1.630409
AWG 1.901181
AZN 1.789518
BAM 1.961728
BBD 2.132343
BDT 126.201335
BGN 1.9588
BHD 0.398064
BIF 3118.741826
BMD 1.056211
BND 1.421281
BOB 7.297188
BRL 6.105428
BSD 1.056091
BTN 89.136639
BWP 14.496666
BYN 3.456143
BYR 20701.745225
BZD 2.128773
CAD 1.480962
CDF 3026.046048
CHF 0.937129
CLF 0.037557
CLP 1036.439301
CNY 7.636301
CNH 7.645963
COP 4727.78219
CRC 539.429963
CUC 1.056211
CUP 27.989605
CVE 110.599191
CZK 25.276513
DJF 188.054673
DKK 7.458575
DOP 63.873001
DZD 141.196108
EGP 52.131744
ERN 15.843172
ETB 130.910644
FJD 2.402194
FKP 0.833686
GBP 0.831777
GEL 2.883565
GGP 0.833686
GHS 16.976135
GIP 0.833686
GMD 74.991397
GNF 9102.504493
GTQ 8.155953
GYD 220.943428
HKD 8.217753
HNL 26.666577
HRK 7.53423
HTG 138.767993
HUF 406.15981
IDR 16809.289017
ILS 3.948874
IMP 0.833686
INR 89.180057
IQD 1383.48038
IRR 44458.579959
ISK 146.095547
JEP 0.833686
JMD 167.185173
JOD 0.748958
JPY 164.521312
KES 136.515348
KGS 91.231852
KHR 4289.881246
KMF 492.563931
KPW 950.589942
KRW 1479.650439
KWD 0.32489
KYD 0.880043
KZT 523.582077
LAK 23200.543009
LBP 94573.658376
LKR 308.542304
LRD 194.845062
LSL 19.330811
LTL 3.118718
LVL 0.638891
LYD 5.158587
MAD 10.547972
MDL 19.130443
MGA 4948.044906
MKD 61.515768
MMK 3430.533723
MNT 3589.00659
MOP 8.466021
MRU 41.984863
MUR 49.842827
MVR 16.318166
MWK 1831.198548
MXN 21.74186
MYR 4.732353
MZN 67.489547
NAD 19.330811
NGN 1774.287045
NIO 38.86892
NOK 11.740652
NPR 142.624361
NZD 1.797365
OMR 0.406676
PAB 1.056111
PEN 4.024312
PGK 4.184644
PHP 62.056118
PKR 293.325825
PLN 4.325535
PYG 8247.922253
QAR 3.849933
RON 4.976236
RSD 117.044056
RUB 105.092045
RWF 1449.953783
SAR 3.967208
SBD 8.854807
SCR 14.362927
SDG 635.317643
SEK 11.596225
SGD 1.417832
SHP 0.833686
SLE 24.097471
SLL 22148.231865
SOS 603.523631
SRD 37.343937
STD 21861.445383
SVC 9.240923
SYP 2653.762908
SZL 19.339168
THB 36.814269
TJS 11.257603
TMT 3.707302
TND 3.335479
TOP 2.473748
TRY 36.27907
TTD 7.170667
TWD 34.391332
TZS 2809.522312
UAH 43.536853
UGX 3875.711004
USD 1.056211
UYU 44.865568
UZS 13525.870313
VES 47.523829
VND 26827.771874
VUV 125.395551
WST 2.94851
XAF 657.932577
XAG 0.034763
XAU 0.000412
XCD 2.854464
XDR 0.795596
XOF 657.976316
XPF 119.331742
YER 263.843317
ZAR 19.268254
ZMK 9507.174232
ZMW 28.963064
ZWL 340.099669
- Trump fills out cabinet as divisive picks shock Washington
- Son hits 50th South Korea goal in win, Australia-Saudi stalemate
- BHP, Vale cleared by Brazil court over 2015 dam disaster
- Satirical US outlet The Onion buys conspiracy site Infowars
- Scotland must emulate Croatia's 'conveyor belt of talent': Clarke
- Legal migration to OECD reaches new record in 2023
- Robinson edges Benazzi to succeed Beaumont as head of World Rugby
- India's capital shuts all primary schools due to smog
- Central bank independence 'fundamental' for good policy: Fed official
- Fritz beats De Minaur to eye ATP Finals last four, Sinner through
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
O.Pereira--NZN
