Beijing Olympics App Flaws Allow Man-in-the-Middle Attacks

The mobile app that all attendees and athletes of the upcoming Beijing Winter Olympics must use to manage communications and documentation at the event has a “devastating” flaw in the way it encrypts data that can allow for man-in-the-middle attacks that access sensitive user information, researchers have found. MY2022 is an app mandated for use by all attendees – including members of the press and athletes – of the 2022 Olympic Games in Beijing. The problem is, it poses a significant security risk because the encryption used to protect users’ voice audio and file transfers “can be trivially sidestepped” due to two vulnerabilities in how it handles data transport, according to a blog post from Citizen Lab posted online Tuesday. Additionally, “server responses can also be spoofed, allowing an attacker to display fake instructions to users,” Citizen Lab’s Jeffrey Knockel wrote in the post. MY2022 collects info such as health customs forms that transmit passport details, demographic information, and medical and travel history, which are vulnerable due to the flaw, he said. It’s also not clear with whom or which organizations this info is shared. MY2022 also includes a feature that allow users to report “politically sensitive” content, as well as a censorship keyword list. While the latter is “presently inactive,” it targets a variety of political topics, including domestic issues such as Xinjiang and Tibet as well as references to Chinese government agencies, Knockel wrote….