Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
RBGPF
0.1000
The Japan Times - Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
EUR
-
AED 4.339975
AFN 73.863966
ALL 96.283541
AMD 444.224065
ANG 2.115011
AOA 1083.663344
ARS 1650.90238
AUD 1.663263
AWG 2.121238
AZN 2.013663
BAM 1.955466
BBD 2.376294
BDT 144.175355
BGN 1.947102
BHD 0.444824
BIF 3500.501627
BMD 1.181748
BND 1.493545
BOB 8.152606
BRL 6.063672
BSD 1.179798
BTN 107.352649
BWP 15.528346
BYN 3.415416
BYR 23162.260663
BZD 2.372894
CAD 1.612437
CDF 2611.663492
CHF 0.911314
CLF 0.026147
CLP 1032.446419
CNY 8.104605
CNH 8.108115
COP 4442.040681
CRC 556.704837
CUC 1.181748
CUP 31.316322
CVE 110.246155
CZK 24.248528
DJF 210.094087
DKK 7.473734
DOP 71.217826
DZD 152.087002
EGP 56.57253
ERN 17.72622
ETB 183.000318
FJD 2.591042
FKP 0.878273
GBP 0.87846
GEL 3.167546
GGP 0.878273
GHS 12.57685
GIP 0.878273
GMD 85.68128
GNF 10347.231253
GTQ 9.049453
GYD 246.837806
HKD 9.244992
HNL 31.221663
HRK 7.534712
HTG 154.653564
HUF 376.907163
IDR 19856.261565
ILS 3.705684
IMP 0.878273
INR 107.629476
IQD 1545.535807
IRR 1553189.113856
ISK 143.547385
JEP 0.878273
JMD 183.948556
JOD 0.837906
JPY 184.405912
KES 152.133994
KGS 103.344316
KHR 4730.191425
KMF 492.789327
KPW 1063.592838
KRW 1701.485238
KWD 0.362254
KYD 0.983232
KZT 587.639549
LAK 25252.683328
LBP 105653.139743
LKR 364.857632
LRD 216.492993
LSL 18.774291
LTL 3.489395
LVL 0.714828
LYD 7.451726
MAD 10.804453
MDL 20.192548
MGA 5004.144596
MKD 61.634464
MMK 2481.695177
MNT 4218.201281
MOP 9.508375
MRU 47.088951
MUR 54.798102
MVR 18.258453
MWK 2045.950267
MXN 20.367195
MYR 4.598541
MZN 75.519651
NAD 18.774291
NGN 1610.061181
NIO 43.422577
NOK 11.237483
NPR 171.764639
NZD 1.973692
OMR 0.454387
PAB 1.179798
PEN 3.958523
PGK 5.14912
PHP 68.234725
PKR 329.760631
PLN 4.2241
PYG 7599.700914
QAR 4.288667
RON 5.099288
RSD 117.359939
RUB 91.214408
RWF 1723.705351
SAR 4.428973
SBD 9.507378
SCR 16.375527
SDG 710.825762
SEK 10.672253
SGD 1.494443
SHP 0.886617
SLE 29.012352
SLL 24780.663772
SOS 673.084943
SRD 44.577943
STD 24459.797516
STN 24.495813
SVC 10.323235
SYP 130.632649
SZL 18.770791
THB 36.823703
TJS 11.225981
TMT 4.136118
TND 3.419715
TOP 2.845366
TRY 51.902806
TTD 8.008631
TWD 37.095504
TZS 3002.686723
UAH 50.868105
UGX 4253.272949
USD 1.181748
UYU 45.322253
UZS 14334.549664
VES 492.595347
VND 30778.626478
VUV 140.511941
WST 3.209596
XAF 655.84489
XAG 0.012594
XAU 0.000224
XCD 3.193733
XCG 2.126337
XDR 0.815661
XOF 655.84489
XPF 119.331742
YER 281.906413
ZAR 18.823497
ZMK 10637.154271
ZMW 22.293189
ZWL 380.522372
- 76ers' center Embiid to miss at least three games with oblique strain
- US, Israel defend strikes at UN as Iran alleges 'war crime'
- Brumbies' 'mental resolve' keeps them unbeaten in Super Rugby
- Iran attacks rock Dubai's Palm, Burj Al Arab, airport
- Iran leader Khamenei killed in massive US and Israeli attack, Trump says
- UK pop-soul star Olivia Dean sweeps Brit Awards
- Iranians across North America take to the streets for - and against - strikes
- 'Turning point' as Crusaders notch first Super Rugby win
- White House releases photos of Trump, Vance during Iran ops
- PSG win to extend lead over Lens at top of Ligue 1
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
T.Kobayashi--JT
