Toronto lab finds security vulnerabilities, censorship framework in Olympic app

Posted by & filed under Cyber Security.

A worker labors to assemble the Olympic Rings onto of a tower on the outskirts of Beijing, China, Wednesday, Jan. 5, 2022. Researchers at a Toronto-based tech laboratory have uncovered security vulnerabilities and censorship frameworks in an app all 2022 Beijing Olympics attendees must use.

TORONTO – Researchers at a Toronto-based tech laboratory have uncovered security vulnerabilities and censorship frameworks in an app all 2022 Beijing Olympics attendees must use.

The Citizen Lab, a research institute at the University of Toronto’s Munk School of Global Affairs and Public Policy that studies spyware, found a “simple but devastating” flaw in the MY2022 app that makes audio files, health and customs forms transmitting passport details, and medical and travel history vulnerable to hackers.

Researcher Jeffrey Knockel found MY2022 does not validate some SSL certificates, digital infrastructure that uses encryption to secure apps and ensures no unauthorized people can access information as it is transmitted.

This failure to validate means the app can be deceived into connecting with malicious hosts it mistakes as being trusted, allowing information the app transmits to servers to be intercepted and attackers to display fake instructions to users.

“The worst case scenario is that someone is intercepting all the traffic and recording all the passport details, all the medical details,” said Knockel, a research associate, who investigated the app after a journalist curious about its security functions approached him.

Olympic organizers have required all games attendees, including athletes, spectators and media members, to download and start using the MY2022 app for submitting health and customs information like COVID-19 test results and vaccination status at least 14 days ahead of their arrival in China.

Source: Toronto Daily Star

Date: January 19th, 2022

Link: https://www.thestar.com/business/2022/01/19/toronto-lab-finds-security-vulnerabilities-censorship-framework-in-olympic-app.html

Discussion

  1. ” MY2022 does not validate some SSL certificates, digital infrastructure that uses encryption to secure apps and ensures no unauthorized people can access information as it is transmitted “.
    SSL = secure socket layer
    “does not validate some SSL certificates” = doesn’t check that the SSL is actually valid. That means someone could provide a fake certificate, which is then not checked, and the app continues on anyway.
    Explain this to students
  2. What is your advice to Olympic Athletes, who are required to download this app to be able to be at the Olympics?
    Answer: burner phone and burner laptop – and don’t use it for anything you don’t want to be publicly shared.

Leave a Reply

Your email address will not be published. Required fields are marked *