Athletes from multiple countries are being told to leave their mobile phones at home and use burner phones for the upcoming Olympics in Beijing amid security concerns.
The Netherlands, the USA and Great Britain's Olympic Associations have all advised its travelling athletes to avoid using their own mobile devices over fears of surveillance, spyware attacks and private information extraction.
And, according to a research paper released by cybersecurity group Citizen Lab, those worries aren't unwarranted and may not even be enough to protect athletes.
The Canadian researchers, who are based at the University of Toronto, have found multiple concerns over the app that all those attending the Olympics must use.
"MY2022, an app mandated for use by all attendees of the 2022 Olympic Games in Beijing, has a simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped," Citizen Lab wrote.
"Forms which transmit passport details, demographic information, and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users."
While MY2022 is "fairly straightforward" regarding the data it says it collects, there are concerns over a lack of clarity regarding who it shares that information with, particularly highly sensitive medical information.
MY2022 also includes features allowing users to report politically sensitive content. Researchers also found a file that listed 2,442 politically sensitive words in China, including Tibet, Falun Gong and Tiananmen Square references.
"The app contains code functions designed to apply this list toward censorship, although at present these functions do not appear to be called," Citizen Lab wrote.
Citizen Lab contacted the creator of the program, giving them 15 days to respond to its findings and 45 days to fix the issues before publicly disclosing them - but the vendor failed to do so.
In fact, the latest update released just a few days ago introduced new functionality, 'Green Health Code', which asks for travel document information and medical history, and is equally as vulnerable as other data.
Those security deficits could be against mobile phone app store policies and even the law, according to Citizen Lab.
"We find that the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple's App Store guidelines but also China's own laws and national standards pertaining to privacy protection."
