On the stores, these sites which allow you to download and install smartphone applications, it is described as a “collaborative” communication platform for “the organization of the Beijing 2022 Olympic Games”, which will open on February 4. 2022.
“My2022”, the free application that all participants in the Winter Olympics must use in particular to prove that they are not sick with Covid-19, would present several security flaws, according to a study published on Tuesday by a laboratory of Canadian research Citizen Lab.
According to the work of Citizen Lab, My2022 created and managed by Beijing Financial Holdings Group (BFHG), a subsidiary of the city of Beijing, has two major flaws, making it susceptible to possible data leaks.
Health and identity data could leak
“China has a history of undermining encryption technologies in order to practice political censorship and surveillance,” said study author Jeffrey Knockel, a research associate at the University of Toronto.
According to Citizen Lab, which depends on this university, My2022 does not authenticate the SSL certificates submitted to it and which allow two entities to communicate securely online. Unrecognized entities could thus have access to the data of the application.
Second flaw: while the platform collects the passport number, country of origin and health status of its foreign users, certain information is transmitted without proper encryption, usually to SSL certificates, which makes them more vulnerable to hijacking .
“It is reasonable to wonder if the encryption of the data of this application was not deliberately sabotaged for surveillance purposes or if it is the result of the negligence of the developers”, continues Jeffrey Knockel.
Citizen Lab indicates that it pointed out the flaws to the Chinese authorities in early December, asking them to respond within 15 days and to remedy them within 45. But at the end of the deadline set by the laboratory, Beijing had not responded to this request.
No “crucial vulnerabilities” for the Olympic Committee
In reaction to the publication of this report, the International Olympic Committee (IOC) claimed that two specialized cybersecurity bodies, commissioned by the IOC, had tested the application and that their conclusions indicated that the application did not present “vulnerabilities crucial”.
The IOC insisted that it was not mandatory for Games participants to download My2022, which could be accessed from an internet page. “MY2022 is an important tool in the arsenal of anti-Covid measures,” the committee argued, and “was designed to ensure the health security of those in the bubble.”
During his work, Citizen Lab said it also identified a file called “illegalwords.txt” that could potentially censor the use of illegal, “politically sensitive” words in China.
Terms like “CCP evil” meaning the Chinese Communist Party is evil, or “Xi Jinping”, from the name of the Chinese president, could be overlooked. For now, the code in question is not active in the application, according to Citizen Lab.