What if the “My 2022” application served more diplomatic than health issues? In recent days, several media have relayed the following information: the device set up for the Beijing Olympics could spy on its users. As a reminder, the latter is used in particular to control the health status of the participants who will remain in the bubble set up by Beijing to avoid the transmission of Covid-19 to the rest of the country. These accusations come from a student researcher, Jonathan Scott, who posted a long thread about it on Twitter. The one who considers himself the “best hacker in the world” is followed by more than 20,000 people. Hence the resonance of these conclusions published on January 26: “I can definitively say that all the audio of the Olympic athletes is collected, analyzed and saved on Chinese servers using technology used by a company of artificial intelligence blacklisted by the United States.”
The “My2022” application was developed by a public company and was initially based on technology developed by iFlyTek. She is responsible for monitoring the Uyghur population in Xinjiang province, which is the target of strong repression by the Chinese Communist Party. Note that the US government had blacklisted iFlyTek due to human rights and security concerns. To return to the “My2022” application, it is mainly intended for athletes, support staff, senior officials or journalists concerned. In the International Olympic Committee’s guide for Olympic Games participants, the organization states that all athletes traveling to Beijing from outside the country must download and use the application’s “Health Monitoring System” fourteen days before their departure for China and for the duration of their stay.
Data subjects must enter data on their state of health, their vaccination status and the results of their Covid tests, as well as information relating to their movements and their passport, into the application on a daily basis. When he talks about the application, Jonathan Scott does not mince his words and denounces a “violation of human rights.” He even goes so far as to call the application “spyware”. However, these statements should be taken with a grain of salt, because the conclusions of this student researcher in computer science remain without proof. Above all, Jonathan Scott is taking advantage of the wave of panic caused by the results of a report published on January 18 by researchers from Citizen Lab, a team based at the University of Toronto. Their analysis revealed that the “My 2022” app had the potential to be infiltrated by hackers, in addition to raising censorship issues.
Security vulnerabilities?
While users are also required to provide sensitive information on the app, it remains unclear where that information will be located and how to access it, according to the report. Researchers are concerned that malicious actors could impersonate or impersonate a server to access these files. This could allow the attacker, for example, to “read a victim’s sensitive demographic, passport, travel, and medical information sent in a customs health declaration or send malicious instructions to a victim after completing a form,” the report said. Second, the app does not encrypt some sensitive data at all. In effect, this means that certain sensitive information within the app, “including the names of message senders and recipients and their user account IDs”, is transmitted without any security.
“This data can be read by any passive eavesdropper, such as someone within range of an unsecured wifi hotspot, someone operating a wifi hotspot, or an internet service provider or another telecommunications company,” the report continues. Questioned by AFP, Yu Honga, technical manager of the Organizing Committee of the Games, rejected any possibility of data capture after the publication of the Citizen Lab report. In addition, she assured that the security flaws had been fixed in a previous update. On the American side, the conclusions of this report are taken very seriously.
Based on these findings, the FBI warned that the app could pose a security risk to participants, much like other commonly used programs like digital wallets. Such apps could be used by attackers to “steal personal information or install tracking tools, malicious code or malware,” the agency said. One thing is certain: the doubts around the Chinese application tense the atmosphere a little more around these Olympic Games already under high tension.