China’s MY2022 App Could Do More Than Trace COVID-19 Exposure
Researchers at The Citizen Lab at the University of Toronto dug into the MY2022 COVID-19 exposure tracing application mandated for use by attendees and participants in the Beijing Winter Olympic Games—and what they found wasn’t pretty.
The app is required to be used by any member of the press, athlete and/or delegation attending the Olympic games, which are scheduled to begin Feb. 4. The application is the avenue by which visitors “submit required health customs information for those visiting China from abroad, which includes submitting passport details, demographic information, as well as travel and medical histories,” the Citizen Lab researchers explained. Additionally, the app enables users to engage in “real-time chat, voice audio chat, file transfers, as well as [receive] news and weather updates about the Olympic Games,” they said.
The app will include COVID-19-related health monitoring as defined in the Olympic Playbook and attendees are required to download it 14 days prior to arrival so that the individual’s health may be monitored. Participants are required to have a daily COVID-19 screening and the results are shared. The app will associate individuals in proximity to the user for the purpose of contact tracing, if necessary. This may sound innocuous and even necessary. But key findings from The Citizen Lab effort show serious security risks within the app that may allow it to be used for other, more nefarious purposes:
- A flawed design makes sidestepping device encryption trivial
- The app lacks disclosure about sharing of sensitive health data
- The app includes a censorship keyword list and a means to report ‘politically sensitive content’
- It appears to violate not only China’s but both Apple’s and Google Play’s privacy standards
“From an application security perspective, it falls to do two critical things that leave the users of the app—all participants, press and attendees—at risk. Even from the perspective of domestic Chinese privacy laws, it is a real issue,” said Cymulate’s cyber evangelist David Klien. “For starters, it doesn’t validate SSL certificates. This fundamental error means data can be injected, redirected and manipulated by anyone. This means easily spoofed messages, malicious code injection and data extracted from users of the app,” Klien said. The app also includes sensitive data including voice, file transfers and PII including passports, health records and geolocation, among other things, he added. “The app fails to protect the data with encryption, meaning reading and manipulating the data in transit can be easily accomplished. If the first vulnerability existed but not this second one—it would make data extraction/manipulation difficult. This makes it relatively easy.”
Various countries are preparing their athletes (and their privacy) for travel to China in different ways. Australia, for example, is issuing burner phones to their delegation and athletes and strongly suggesting travelers not take any personal digital devices with them. The burner device may then be configured to comply with the MY2022 app mandate and, thus, if individuals are compromised, the blast radius is limited by the amount of data on the device. Other countries, including the U.S., warned attendees that their devices may be compromised and to act accordingly.
The Beijing Olympic committee responded by saying the warnings about the MY2022 app are “… completely groundless and these concerns are wholly unnecessary.” Based on personal experience, my advice for athletes is simple: “Only take to China what you are comfortable leaving in China.”
Enjoy the Olympic Games.
