The International Olympic Committee has defended the Chinese app MY2022 Olympics following a report by Citizen Lab that revealed serious privacy issues with the platform.
All participants in the 2022 Olympics in Beijing must download and use the app, but Citizen Lab released a report on Monday stating that a “simple but devastating flaw” allows encryption protecting users’ voice and file transfers from be “trivially circumvented”. .”
Passport details, demographic information, and medical/travel history in health customs forms are also vulnerable, according to Citizen Lab. According to the report, server responses can be spoofed, allowing an attacker to display false instructions to users.
The MY2022 app also allows users to flag “politically sensitive” content and includes a list of censorship keywords involving topics such as Xinjiang and Tibet.
Citizen Lab noted that the app may violate Google’s Unwanted Software Policy, Apple’s App Store Guidelines, and China’s own national privacy laws and standards. Google and Apple did not respond to requests for comment.
The report caused widespread outrage as the thousands of people attending the games will have no choice but to download the app if they want to represent their country.
In comments to ZDNet, the International Olympic Committee defended the app and downplayed the seriousness of the issues Citizen Lab discovered.
A spokesperson justified the app’s security vulnerabilities by saying that due to the COVID-19 pandemic, “special measures” needed to be put in place to “protect Olympic and Paralympic Games participants from Beijing winter 2022 and the Chinese people”.
“Therefore, a closed-loop management system has been implemented… The ‘My2022’ app supports the health monitoring function. It is designed to ensure the safety of Games-related personnel in the ‘closed-loop environment’, the IOC said.
The IOC also defended the app, saying it had received approval from the Google Play Store and the App Store.
“The user controls what the ‘My2022’ app can access on their device. They can already change the settings when installing the app or at any time afterwards. It is not mandatory to ‘Install ‘My 2022’ on mobile phones, as accredited personnel can log into the health monitoring system on the webpage instead,” the IOC said.
“The CIO has conducted independent third-party assessments of the application of two cybersecurity testing organizations. These reports have confirmed that there are no critical vulnerabilities.”
Ron Deibert, director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs & Public Policy, told ZDNet that the CIO’s comments do not address serious security vulnerabilities discovered and reported by the organization.
“As of today, neither has the app vendor. In fact, the app vendor has not responded to our vulnerability disclosure at all, and the latest version of the app, unfortunately, still includes the vulnerabilities,” Deibert noted.
“The IOC has a responsibility to ensure user privacy and security for all applications and systems used during the Olympic Games. The IOC’s comments suggest that instead of taking this responsibility seriously, they actually hope to minimize the risks.”
DW was the first to report the vulnerabilities, and multiple news outlets noted that the US, UK, Australia and Germany have urged their citizens to leave all personal devices and laptops at home. home, fearing that they will be hacked or monitored by the Chinese government both during the games and once they return home. The Dutch Olympic Committee has already banned its citizens from bringing their devices to the games.
Some experts said the vulnerabilities would also give hackers a way to steal sensitive personal information. The Beijing 2022 Organizing Committee, however, told USA Today that personal information collected by Beijing 2022 “will not be disclosed unless disclosure is necessary.”
“Information from accredited media representatives will only be used for purposes related to the Olympic and Paralympic Winter Games,” the Beijing 2022 Organizing Committee said.
The games begin on February 4.