Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
RBGPF
0.0000
Zürcher Nachrichten - Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
EUR
-
AED 4.278799
AFN 77.332466
ALL 96.575617
AMD 445.1876
ANG 2.085576
AOA 1068.388216
ARS 1684.735918
AUD 1.75613
AWG 2.09862
AZN 1.984015
BAM 1.955298
BBD 2.351906
BDT 142.873314
BGN 1.955951
BHD 0.439244
BIF 3450.13256
BMD 1.165091
BND 1.512264
BOB 8.068928
BRL 6.18139
BSD 1.167705
BTN 104.895516
BWP 15.51395
BYN 3.380546
BYR 22835.780461
BZD 2.348507
CAD 1.624445
CDF 2598.152383
CHF 0.935795
CLF 0.027249
CLP 1068.972737
CNY 8.239114
CNH 8.235468
COP 4423.838268
CRC 572.550529
CUC 1.165091
CUP 30.874907
CVE 110.236695
CZK 24.215228
DJF 207.947498
DKK 7.468599
DOP 74.200629
DZD 151.573688
EGP 55.422094
ERN 17.476363
ETB 182.080866
FJD 2.631882
FKP 0.872491
GBP 0.87341
GEL 3.139877
GGP 0.872491
GHS 13.301585
GIP 0.872491
GMD 85.051785
GNF 10146.786517
GTQ 8.944742
GYD 244.307269
HKD 9.07004
HNL 30.745973
HRK 7.537941
HTG 152.955977
HUF 381.927241
IDR 19422.821609
ILS 3.76036
IMP 0.872491
INR 104.791181
IQD 1529.71378
IRR 49079.451231
ISK 149.003201
JEP 0.872491
JMD 187.141145
JOD 0.82607
JPY 180.711448
KES 150.704566
KGS 101.886647
KHR 4676.939601
KMF 491.66861
KPW 1048.573823
KRW 1715.887947
KWD 0.35759
KYD 0.973154
KZT 590.220982
LAK 25331.604319
LBP 104570.198293
LKR 360.448994
LRD 206.107962
LSL 19.822595
LTL 3.44021
LVL 0.704752
LYD 6.347397
MAD 10.774234
MDL 19.862985
MGA 5193.64414
MKD 61.624177
MMK 2446.620372
MNT 4131.997126
MOP 9.362236
MRU 46.266921
MUR 53.675364
MVR 17.954132
MWK 2024.871384
MXN 21.185039
MYR 4.789718
MZN 74.447687
NAD 19.822595
NGN 1690.547045
NIO 42.970442
NOK 11.774198
NPR 167.831186
NZD 2.017279
OMR 0.448002
PAB 1.1678
PEN 3.926892
PGK 4.952877
PHP 68.813177
PKR 329.883811
PLN 4.230421
PYG 8097.955442
QAR 4.268104
RON 5.093784
RSD 117.405001
RUB 89.428762
RWF 1699.056442
SAR 4.372624
SBD 9.581501
SCR 15.83572
SDG 700.739077
SEK 10.962357
SGD 1.508886
SHP 0.87412
SLE 26.796781
SLL 24431.370198
SOS 666.226074
SRD 45.023191
STD 24115.028075
STN 24.494657
SVC 10.21742
SYP 12883.858981
SZL 19.816827
THB 37.09708
TJS 10.731491
TMT 4.077818
TND 3.427635
TOP 2.805259
TRY 49.532165
TTD 7.917001
TWD 36.455959
TZS 2842.8212
UAH 49.235746
UGX 4139.936989
USD 1.165091
UYU 45.74845
UZS 13910.428222
VES 289.625154
VND 30711.794538
VUV 142.222766
WST 3.250779
XAF 655.7858
XAG 0.020016
XAU 0.000276
XCD 3.148716
XCG 2.104569
XDR 0.815587
XOF 655.791427
XPF 119.331742
YER 277.75676
ZAR 19.715959
ZMK 10487.212054
ZMW 26.828226
ZWL 375.158775
- Sri Lanka issues fresh landslide warnings as death toll hits 607
- Guardiola says broadcasters owe him wine after nine-goal thriller
- Netflix to buy Warner Bros. Discovery in deal of the decade
- EU hits Musk's X with 120-mn-euro fine, risking Trump ire
- French stars Moefana and Atonio return for Champions Cup
- Penguins queue in Paris zoo for their bird flu jabs
- Netflix to buy Warner Bros. Discovery for nearly $83 billion
- Sri Lanka issues fresh landslide warnings as toll nears 500
- Root says England still 'well and truly' in second Ashes Test
- Chelsea's Maresca says rotation unavoidable
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
O.Pereira--NZN
