Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
CMSC
0.3000
The Fort Worth Press - Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
USD
-
AED 3.67298
AFN 73.973024
ALL 94.435692
AMD 398.985484
ANG 1.792566
AOA 914.497529
ARS 1046.276101
AUD 1.593875
AWG 1.8
AZN 1.689851
BAM 1.878924
BBD 2.008339
BDT 121.095382
BGN 1.877865
BHD 0.376917
BIF 2942.798136
BMD 1
BND 1.352769
BOB 6.872964
BRL 6.036199
BSD 0.994596
BTN 86.08704
BWP 13.843656
BYN 3.255036
BYR 19600
BZD 1.997963
CAD 1.43289
CDF 2835.000125
CHF 0.905785
CLF 0.036378
CLP 1003.779945
CNY 7.27145
CNH 7.277815
COP 4310.45
CRC 499.654152
CUC 1
CUP 26.5
CVE 105.933384
CZK 24.128009
DJF 177.12131
DKK 7.15836
DOP 61.022941
DZD 134.691133
EGP 50.314602
ERN 15
ETB 124.70473
EUR 0.959385
FJD 2.31275
FKP 0.823587
GBP 0.810075
GEL 2.850194
GGP 0.823587
GHS 15.0503
GIP 0.823587
GMD 72.498351
GNF 8597.089477
GTQ 7.676123
GYD 208.10076
HKD 7.788555
HNL 25.317866
HRK 7.379548
HTG 129.838315
HUF 395.805032
IDR 16202.6
ILS 3.543915
IMP 0.823587
INR 86.420499
IQD 1303.007013
IRR 42087.505244
ISK 139.960209
JEP 0.823587
JMD 156.766675
JOD 0.709301
JPY 155.791505
KES 129.25021
KGS 87.449873
KHR 4007.070736
KMF 479.150008
KPW 900.000111
KRW 1434.634977
KWD 0.30822
KYD 0.828898
KZT 521.173984
LAK 21711.01931
LBP 89070.620899
LKR 295.80171
LRD 195.945816
LSL 18.54339
LTL 2.95274
LVL 0.60489
LYD 4.898528
MAD 9.985109
MDL 18.629853
MGA 4662.266671
MKD 59.037174
MMK 3247.960992
MNT 3398.000107
MOP 7.977616
MRU 39.407447
MUR 46.470116
MVR 15.405041
MWK 1724.740852
MXN 20.580298
MYR 4.440502
MZN 63.89843
NAD 18.543568
NGN 1550.389965
NIO 36.597666
NOK 11.27638
NPR 137.736148
NZD 1.76347
OMR 0.384936
PAB 0.99463
PEN 3.715577
PGK 4.050263
PHP 58.402011
PKR 277.304788
PLN 4.077145
PYG 7884.333646
QAR 3.625935
RON 4.773898
RSD 112.351044
RUB 98.518888
RWF 1394.452931
SAR 3.751679
SBD 8.468008
SCR 14.615119
SDG 600.999994
SEK 10.983501
SGD 1.353365
SHP 0.823587
SLE 22.74977
SLL 20969.49992
SOS 568.444918
SRD 35.105012
STD 20697.981008
SVC 8.703045
SYP 13001.999985
SZL 18.539369
THB 33.819867
TJS 10.841772
TMT 3.5
TND 3.180067
TOP 2.342105
TRY 35.653401
TTD 6.754731
TWD 32.740503
TZS 2507.501708
UAH 41.911885
UGX 3675.20996
UYU 43.731386
UZS 12914.909356
VES 55.230623
VND 25175
VUV 118.722008
WST 2.800827
XAF 630.17648
XAG 0.032389
XAU 0.000363
XCD 2.70255
XDR 0.766349
XOF 630.167399
XPF 114.575027
YER 248.999928
ZAR 18.49189
ZMK 9001.207555
ZMW 27.675784
ZWL 321.999592
- EU's top diplomat backs Trump call to boost defence spending
- Simmering anger as Turkey begins burying 76 fire victims
- Masa Son, Trump's Japanese buddy with the Midas Touch
- Borussia Dortmund sack Sahin after Champions League setback
- US govt workers in diversity jobs to be put on leave as programs ordered shut
- Shelton grinds past Sonego into Australian Open semi-final
- Borussia Dortmund sack coach Nuri Sahin after Champions League setback
- Markets rise after Trump AI pledge but China tariff fears return
- 'Did not push hard enough': Navalny lawyer speaks of regrets
- Bulgaria court ruling turns spotlight on gambling addiction
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
W.Matthews--TFWP
