Cross-country Exposure: New Citizen Lab Report Finds Security Flaws in China’s Mandatory Winter Olympics App
January 18, 2022
On January 18, researchers from the Munk School’s Citizen Lab released a report analyzing MY2022, a mandatory app that athletes will use during the 2022 Winter Olympic Games in Beijing. The app, which Games attendees are required to download 14 days before their departure for Beijing, is part of China’s plan to mitigate the spread of COVID-19 and track outbreaks. Each attendee must monitor and submit their health status to the app on a daily basis.
The analysis uncovered a number of security shortcomings in the app, including a “simple but devastating” encryption flaw that leaves sensitive information like voice audio files, passport information, and medical history vulnerable. Researchers also found that the app’s server responses can be spoofed, allowing hackers to display fake instructions to users.
Though the report comes just weeks before the opening ceremony on February 4, Citizen Lab says it disclosed the security flaws to the Beijing Organizing Committee in early December. They have not received a response and a software update to the MY2022 app failed to amend the issues. According to the New York Times, failure to fix the app’s security flaws likely puts MY2022 in breach of China’s personal data protection laws, as well as the privacy policies of Google’s and Apple’s app stores.