Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
-
Top Russian official in Washington for talks on improving ties
-
Sinner's former physio to blame for failed dope tests, says ex-physical trainer
-
Germany slams Trump tariffs, US tech titans in crosshairs
-
Trump tariff blitz sparks retaliation threats, economic fears
-
Search for Malaysia's long missing MH370 suspended
-
Hungary announces ICC withdrawal as Israel's Netanyahu visits
-
Trump's tariffs sting Asian giants, including US allies
-
India says 'examining the implications' of US tariffs
-
Evenepoel set to make injury return at Tour de Romandie
-
USA sole bidder for 2031 Women's World Cup, UK set to host in 2035 - Infantino
-
McLaren's Norris says it's 'our turn' for success
-
Lessons and liquids: buried alive in Myanmar's earthquake
-
Trump tariffs spark fears for Asian jobs, exporting sectors
-
Stocks and dollar sink, havens rally as Trump tariffs fan trade war
-
Runners fly to North Korea for first post-Covid Pyongyang Marathon
-
Hamilton rubbishes claims he's lost faith in Ferrari
-
Nintendo Switch 2 sparks excitement despite high price
-
Sri Lanka's crackdown on dogs for India PM's visit sparks protest
-
S Korea police raise security levels ahead of impeachment verdict
-
China vows 'countermeasures' to sweeping new US tariffs
-
Trump jolts allies, foes and markets with tariff blitz
-
France says EU to target US online services after Trump tariffs
-
Tsunoda vows to bring 'something different' after Red Bull promotion
-
Verstappen not happy with Tsunoda-Lawson Red Bull swap
-
Experts accuse 54 top Nicaragua officials of grave abuses
-
Remains of 30th victim of Los Angeles fires found
-
EU to target US online services after Trump tariffs: France
-
How Trump's 'liberation day' tariffs will impact China
-
Malaysia suspends search for long-missing flight MH370
-
Search for long-missing flight MH370 suspended: Malaysia minister
-
Europe hits out at Trump tariffs, keeps door open for talks
-
Myanmar's junta chief to head to Bangkok summit as quake toll surpasses 3,000
-
Lawson vows to prove he belongs in F1 after shock of Red Bull axing
-
Australia sweats through hottest 12 months on record: official data
-
Livestock theft is central to jihadist economy in west Africa
-
South African artist champions hyenas in 'eco-queer' quest
-
Danish PM in 'unity' Greenland visit amid US takeover threats
-
Taiwan says US tariffs 'highly unreasonable'
-
Lawson says ruthless Red Bull axing was 'tough to hear'
-
Heat humble Celtics for sixth straight win, Thunder roll on
-
Trump escalates trade war with sweeping global tariffs
-
Japan says US tariffs 'extremely regrettable', may break WTO rules
-
South Koreans anxious, angry as court to rule on impeached president
-
Juve at in-form Roma with Champions League in the balance
-
Injuries put undermanned Bayern's title bid to the test
-
Ovechkin scores 892nd goal -- three away from Gretzky's NHL record
-
Australian former rugby star Petaia signs for NFL's Chargers
-
China says opposes new US tariffs, vows 'countermeasures'
-
Athletics world watching as 'Grand Slam Track' prepares for launch
-
Heat humble Celtics for sixth straight win, Cavs top Knicks
Mandatory Chinese Olympics app has 'devastating' encryption flaw: analyst
An app all attendees of the upcoming Beijing Olympics must use has encryption flaws that could allow personal information to leak, a cyber security watchdog said Tuesday.
The "simple but devastating flaw" in the encryption of the MY2022 app, which is used to monitor Covid and is mandatory for athletes, journalists and other attendees of the games in China's capital, could allow health information, voice messages and other data to leak, warned Jeffrey Knockel, author of the report for Citizen Lab.
The International Olympic Committee responded to the report by saying users can disable the app's access to parts of their phones and that assessments from two unnamed cyber security organizations "confirmed that there are no critical vulnerabilities."
"The user is in control over what the... app can access on their device," the committee told AFP, adding that installing it on cellphones isn't required "as accredited personnel can log on to the health monitoring system on the web page instead."
The committee said it had asked Citizen Lab for its report "to understand their concerns better."
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.
"China has a history of undermining encryption technology to perform political censorship and surveillance," Knockel wrote.
"As such, it is reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence," he continued, adding that "the case for the Chinese government sabotaging MY2022's encryption is problematic."
The flaws affect SSL certificates, which allow online entities to communicate securely.
MY2022 doesn't authenticate SSL certificates, meaning other parties could access the app's data, while data is transmitted without the usual encryption SSL certificates have, Knockel wrote.
While the app is transparent about the medical information it collects as part of China's efforts to screen Covid-19 cases, he said "it is unclear with whom or which organization(s) it shares this information."
MY2022 also contains a list called "illegalwords.txt" of "politically sensitive" phrases in China, many of which relate to China's political situation or its Tibetan and Uighur Muslim minorities.
These include keywords like "CCP evil" and Xi Jinping, China's president, though Knockel said it was unclear if the list was being actively used for censorship purposes.
Because of these features, the app may violate both Google and Apple policies around smartphone software, and "also China's own laws and national standards pertaining to privacy protection, providing potential avenues for future redress," he wrote.
S.Gregor--AMWN