Security concerns about the phone app that athletes and all other attendees at the Beijing Winter Olympics are required to use has some governments advising that anyone attending the Games leave his or her smartphone and other electronic devices at home and use a burner phone instead.
A recent report from the cybersecurity group Citizen Lab based at the University of Toronto concludes that the My 2022 app being supplied by the Chinese government has several security flaws, including a failure to encrypt many files.
The official Beijing Olympics Playbook that is up on the International Olympic Committee website warns that anyone coming to the Winter Olympics must download the app at least 14 days before flying to China and provide health updates daily. Users are also required to upload other sensitive personal information besides health records, including passport data and travel history.
Furthermore, My 2022 has features that allow users to report “politically sensitive” content. The Citizen Lab report notes, “The app also includes a censorship keyword list, which, while presently inactive, targets a variety of political topics including domestic issues such as Xinjiang and Tibet, as well as references to Chinese government agencies.”
Bundled with the app is a file named “illegalwords.txt” that includes 2,422 terms the Chinese Communist Party authorities do not want discussed. For example? The “Tiananmen Riot” and the “Dalai Lama,” among many others.
Under China’s national security laws, the government can demand access to any information stored on an electronic device. In the name of national security matters, public health, or criminal investigations, Chinese officials can disclose personal information without user consent.
What makes My 2022 especially pernicious is that, according to Citizen Lab, the app fails to validate SSL certificates. This means a malicious party could spoof trusted servers so that the app would believe it to be a trusted host, and thereby intercept the transmitted content.
Moreover, some sensitive data is transmitted without encryption or any security whatsoever.
The intentionally shoddy security of the My 2022 app could make it easy for hackers to steal bank information and work-related information from a personal device brought to China.
Making It as Easy as Possible
What the news articles about My 2022 fail to mention is that this is not anything unusual in China or specific to the Winter Olympics and COVID-19.
Savvy international visitors to China have long been well aware that, if their activities are of any interest to the Chinese authorities, everything they do while in that country is likely to be monitored. It starts with cameras and listening devices in their hotel rooms and interceptions of voice and data messages.
If a visitor leaves a computer or other electronic device with sensitive information in their room when they go out, the contents are likely to soon be in the possession of a Chinese public security officer.
In an article entitled “China Cyber Hacking: The Full Story” posted on the China Law Blog website, Dan Harris and Arlo Kipfer, two attorneys at the international law firm Harris Bricken, spell it out in simple terms: “The government seeks to ensure all network activity conducted within China is transparent to the state.
Chinese nationals and foreigners are treated absolutely alike in this respect. The Chinese government will hack them regardless of their nationality, bank account balance, or social position.
In fact, any transaction done with a government office, bank, or most any company must use an app into which the PRC has embedded malware allowing it access.
The reason Gmail was banned in China is that the government wants everyone to communicate by WeChat, which it can readily monitor. Even foreign companies must use WeChat when they deal with government offices or banks. Such malware-ridden software is also required for mandatory anti-virus and tax filing programs.
Intellectual Property Piracy
Back doors are also routinely installed in network hardware so that the government can surreptitiously enter a company’s network systems at will. That, of course, makes it easy to steal technologies and other IP it is interested in.
WeChat and other such communications apps are highly insecure by design. That is not because the Chinese government wishes to see outside hackers attack foreign companies or private individuals. It is because it wants to make its own job of hacking as easy as possible.
As the China Law Blog article concludes: “The only question is whether the Chinese government is interested or not. If they are interested, they will succeed. There is no place to hide.”
Ironically, the image caption for the My 2022 app is “Together for a Shared Future.”
The relevant question is, “Who will be sharing your data in the future?”
Author: John Carroll
John Carroll is a JAPAN Forward contributor.