Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
SCS
0.0200
Zürcher Nachrichten - Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
EUR
-
AED 4.334151
AFN 77.8911
ALL 96.74255
AMD 446.113817
ANG 2.112588
AOA 1081.622045
ARS 1706.640144
AUD 1.694871
AWG 2.12577
AZN 2.001288
BAM 1.957665
BBD 2.377665
BDT 144.377509
BGN 1.981932
BHD 0.444922
BIF 3498.346743
BMD 1.180164
BND 1.503532
BOB 8.156803
BRL 6.193269
BSD 1.180524
BTN 106.686611
BWP 15.628952
BYN 3.381521
BYR 23131.214804
BZD 2.374161
CAD 1.612452
CDF 2625.864602
CHF 0.915589
CLF 0.02583
CLP 1020.125085
CNY 8.192875
CNH 8.185807
COP 4321.040743
CRC 585.257415
CUC 1.180164
CUP 31.274347
CVE 110.37012
CZK 24.265883
DJF 210.22022
DKK 7.465995
DOP 74.500957
DZD 153.375302
EGP 55.303406
ERN 17.70246
ETB 183.940048
FJD 2.604151
FKP 0.864097
GBP 0.87161
GEL 3.174806
GGP 0.864097
GHS 12.9614
GIP 0.864097
GMD 86.745383
GNF 10360.867975
GTQ 9.054624
GYD 246.975226
HKD 9.220208
HNL 31.182699
HRK 7.535109
HTG 154.8675
HUF 378.308624
IDR 19910.842233
ILS 3.672735
IMP 0.864097
INR 106.497234
IQD 1546.472903
IRR 49714.409554
ISK 144.795585
JEP 0.864097
JMD 184.635852
JOD 0.836756
JPY 185.077455
KES 152.287979
KGS 103.204967
KHR 4764.558082
KMF 492.128304
KPW 1062.183028
KRW 1727.565411
KWD 0.362712
KYD 0.983783
KZT 582.224527
LAK 25373.1661
LBP 105718.384885
LKR 365.317939
LRD 219.580298
LSL 19.071364
LTL 3.484717
LVL 0.713869
LYD 7.478122
MAD 10.83512
MDL 20.062193
MGA 5222.974504
MKD 61.603711
MMK 2478.088599
MNT 4212.19062
MOP 9.500031
MRU 47.08985
MUR 54.358763
MVR 18.245263
MWK 2046.949571
MXN 20.550704
MYR 4.658141
MZN 75.247247
NAD 19.071364
NGN 1614.570237
NIO 43.441375
NOK 11.539255
NPR 170.698578
NZD 1.971812
OMR 0.453761
PAB 1.180534
PEN 3.968179
PGK 5.131888
PHP 69.345247
PKR 330.536312
PLN 4.218774
PYG 7795.424576
QAR 4.302498
RON 5.092762
RSD 117.373199
RUB 90.371868
RWF 1723.021352
SAR 4.425803
SBD 9.517607
SCR 16.18246
SDG 709.853886
SEK 10.66218
SGD 1.502904
SHP 0.885429
SLE 28.972816
SLL 24747.448565
SOS 673.441404
SRD 44.693245
STD 24427.012485
STN 24.523357
SVC 10.328837
SYP 13052.112374
SZL 19.062236
THB 37.497332
TJS 11.049324
TMT 4.136475
TND 3.420658
TOP 2.841551
TRY 51.383748
TTD 7.993613
TWD 37.360407
TZS 3050.72365
UAH 50.940417
UGX 4214.013542
USD 1.180164
UYU 45.553386
UZS 14479.79095
VES 446.083531
VND 30648.859615
VUV 141.251085
WST 3.217534
XAF 656.612977
XAG 0.01576
XAU 0.000244
XCD 3.189452
XCG 2.127535
XDR 0.815613
XOF 656.582347
XPF 119.331742
YER 281.262561
ZAR 19.083282
ZMK 10622.888903
ZMW 21.928071
ZWL 380.012333
- Record January window for transfers despite drop in spending
- 'Burned inside their houses': Nigerians recount horror of massacre
- Iran, US prepare for Oman talks after deadly protest crackdown
- Winter Olympics opening ceremony nears as virus disrupts ice hockey
- Mining giant Rio Tinto abandons Glencore merger bid
- Davos forum opens probe into CEO Brende's Epstein links
- ECB warns of stronger euro impact, holds rates
- Famine spreading in Sudan's Darfur, warn UN-backed experts
- Lights back on in eastern Cuba after widespread blackout
- Russia, US agree to resume military contacts at Ukraine talks
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
O.Pereira--NZN
