Along with their skis, winter wear, and N95 masks, athletes and support staff heading to the Beijing Winter Olympics, which kicks off in two weeks, should pack burner digital devices as experts warn about the potential of cybersecurity risks during their stay in China.
Despite diplomatic boycotts of the Games by several countries over China’s human rights record, many athletes from countries boycotting the event, including the US, will still be participating.
The US Olympic & Paralympic Committee has reportedly encouraged Team USA to use disposable phones in a bid to avoid coming home with surveillance malware on their regular phones, according to the Wall Street Journal. In addition, Olympic committees or associations in countries including Canada, the UK, and the Netherlands have also given similar advice, and in some cases issued temporary devices to their athletes.
Republican senator Marco Rubio last week sent a letter to president Joe Biden, asking the administration to explain the steps it is taking to protect US athletes from Beijing’s surveillance. In particular, Rubio raised concerns about the digital yuan, the sovereign digital currency that China is developing, noting that it is set to be rolled out more broadly at the Olympics, and that US vendors may be pressured into accepting it for payment, posing “enormous” risk to US nationals.
China has rejected such concerns, saying the Beijing Olympics organizing committee will “strictly abide by the Law of China on Personal Information Protection and other relevant laws and regulations,” and that all personal information will be encrypted on its official app My2022 that will be used for covid contact tracing and health status monitoring in the Olympics bubble.
Security concerns about the My2022 Olympics app
An analysis this week by cybersecurity research group Citizen Lab, based at the University of Toronto, pointed out security vulnerabilities in the My2022 app, developed by a state-owned company for the Beijing organizing committee. China is advising athletes, members of the media, and the limited numbers of spectators who will be invited to attend the Games to use the app.
Researchers said the app’s encryption can be easily sidestepped, since it fails to validate SSL certificates—the digital certificates that ensure encrypted connections. That allows an attacker to “spoof trusted servers by interfering with the communication between the app and these servers,” said the report. This means the app, which collects international users’ demographic and passport information, can be deceived into connecting to a malicious host, allowing information that the app transmits to be intercepted.
Citizen Lab said it contacted the organizing committee of the Games in December regarding the security flaws, but didn’t get a response within the time frame it had given the body, after which it revealed the findings publicly.
When it comes to information sharing, the app discloses that it will share data with a number of firms, including Alibaba-owned AutoNavi, which is providing location services to the app, and iFlytek, a voice-recognition AI developer that provides the app with translation services, and whose voice technology is also applied to security and policing in China.
The Olympics will have a diluted firewall
China’s internet is ringfenced by the great firewall, which bars its citizens from browsing many foreign websites, and accessing information on topics considered sensitive. Beijing has promised to relax the great firewall for the Winter Olympics, an approach it has applied to other events featuring international participants. That doesn’t mean that journalists or athletes at the Olympics should count on being able to access everything they are able to reach when outside of China—journalists at the 2008 Summer Olympics in Beijing still found many sites blocked despite expecting an uncensored internet.
Citizen Lab found that the My2022 app contains a censorship keyword list, which is inactive at the moment but consists of around 2,400 words mostly in Chinese, ranging from the name of Chinese president Xi Jinping to insults of Jewish and Chinese people. A small number of words in Uyhgur and Tibetan, languages of two ethnic groups that have faced major repression, are also on this list. Like many other Chinese apps, My2022 allows users to report “politically sensitive content,” raising fears about the possibility of non-transparent content removal, it said.
In response to the lab’s report, the International Olympics Committee has defended the app, saying it is not compulsory to download the app, and that users can control what information the app accesses on their phones. The IOC said it has also conducted independent third-party assessments of the app and confirmed that there are no critical vulnerabilities, according to ZDNet. Meanwhile, a spokesperson from Chinese Embassy in Canada said yesterday (Jan. 19) that the lab’s report is “a distortion of facts and totally without evidence.”
“There’s no need to worry about cybersecurity…China has always been against and will crack down upon any kinds of cyber attacks and cyber stalking,” said the spokesperson, according to Chinese state-owned Global Times.