Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
RBGPF
-13.5000
Zürcher Nachrichten - Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
EUR
-
AED 4.244974
AFN 72.820821
ALL 95.679468
AMD 435.069847
ANG 2.069125
AOA 1059.943556
ARS 1608.41038
AUD 1.649033
AWG 2.083477
AZN 1.960828
BAM 1.950286
BBD 2.324029
BDT 141.589657
BGN 1.975759
BHD 0.435868
BIF 3415.542608
BMD 1.155882
BND 1.475727
BOB 7.973455
BRL 6.141665
BSD 1.153937
BTN 107.875982
BWP 15.734511
BYN 3.500901
BYR 22655.282549
BZD 2.320738
CAD 1.585043
CDF 2629.631372
CHF 0.910875
CLF 0.027167
CLP 1072.7165
CNY 7.959867
CNH 7.977497
COP 4241.407488
CRC 538.976054
CUC 1.155882
CUP 30.630867
CVE 109.954107
CZK 24.487528
DJF 205.479011
DKK 7.47136
DOP 68.496328
DZD 152.86307
EGP 59.999466
ERN 17.338226
ETB 181.855905
FJD 2.559642
FKP 0.866441
GBP 0.867079
GEL 3.138222
GGP 0.866441
GHS 12.578435
GIP 0.866441
GMD 84.954116
GNF 10114.40169
GTQ 8.839008
GYD 241.417396
HKD 9.05505
HNL 30.542641
HRK 7.533347
HTG 151.38197
HUF 393.178948
IDR 19599.362345
ILS 3.593781
IMP 0.866441
INR 108.66508
IQD 1511.625902
IRR 1520706.944273
ISK 143.64086
JEP 0.866441
JMD 181.287413
JOD 0.819536
JPY 183.919854
KES 149.487327
KGS 101.07943
KHR 4610.962577
KMF 493.56122
KPW 1040.327809
KRW 1739.960935
KWD 0.354359
KYD 0.961581
KZT 554.761421
LAK 24778.937947
LBP 103341.603261
LKR 359.962213
LRD 211.16294
LSL 19.465661
LTL 3.413019
LVL 0.699181
LYD 7.387113
MAD 10.782612
MDL 20.095181
MGA 4811.395855
MKD 61.466205
MMK 2425.983079
MNT 4124.393548
MOP 9.314164
MRU 46.190397
MUR 53.760182
MVR 17.870088
MWK 2000.942367
MXN 20.733739
MYR 4.552987
MZN 73.846768
NAD 19.465661
NGN 1567.66451
NIO 42.459945
NOK 11.070054
NPR 172.601971
NZD 1.98137
OMR 0.444436
PAB 1.153937
PEN 3.98942
PGK 4.980917
PHP 69.526124
PKR 322.168873
PLN 4.275387
PYG 7536.690129
QAR 4.219569
RON 5.087616
RSD 117.118848
RUB 96.006653
RWF 1678.952788
SAR 4.339939
SBD 9.306767
SCR 15.832933
SDG 694.685214
SEK 10.812147
SGD 1.481684
SHP 0.867211
SLE 28.405845
SLL 24238.275136
SOS 659.435457
SRD 43.331121
STD 23924.418772
STN 24.430922
SVC 10.096452
SYP 127.969146
SZL 19.471943
THB 38.037761
TJS 11.083163
TMT 4.057145
TND 3.407964
TOP 2.783085
TRY 51.2244
TTD 7.828864
TWD 37.030636
TZS 3000.117216
UAH 50.55027
UGX 4361.667455
USD 1.155882
UYU 46.498526
UZS 14068.222325
VES 525.568607
VND 30413.56094
VUV 137.376492
WST 3.153027
XAF 654.107521
XAG 0.017125
XAU 0.00026
XCD 3.123828
XCG 2.07962
XDR 0.8135
XOF 654.107521
XPF 119.331742
YER 275.797228
ZAR 19.734312
ZMK 10404.320537
ZMW 22.530296
ZWL 372.193456
- Cuba restores power grid after latest blackout
- Asian stocks tumble as Trump gives Iran 48-hour ultimatum
- Wolves rally past Celtics, Nuggets sink Blazers
- Middle East war to dominate Houston's 'Davos of Energy'
- Korda sends Alcaraz to another early exit in Miami, Sabalenka advances
- Kim holds off Korda charge to win LPGA Founders Cup
- Slovenia liberal PM claims win over conservatives in tight vote
- Trump orders immigration agents to airports amid crippling budget standoff
- Iran awaits Trump threat to blow up power plants
- Alcaraz eyes clay court season after early Miami exit
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
O.Pereira--NZN
