I’ve been contemplating this article for several days, and I did write up the show notes for the up coming Security Box show notes for this though.
The problem is, that we really haven’t covered olympic security although there may have been a mention in podcast 47 as olympic did give one result.
Be that as it may, this is going to probably be the biggest thing I think we’ve covered, even if past podcasts and show notes and the like of older podcasts may have been lost.
In today’s article, we’re going to talk about an app called “my 2022” which the IOC is touting as being just fine, and the people who looked at it telling them that it is fine.
One of our DJ’s here at the mix contacted me in regards to this as he heard about it briefly through WGN in Chicago. As I remember talking about this in other aspects which I can’t find at the moment, it reminded me of different types of stories like ones covering web sites with malicious flash players to watch the games and other types of stories.
The article this time is titled: Toronto lab finds security vulnerabilities, censorship framework in Olympic app and it comes from the CBC in Canada.
Researchers at a Toronto-based tech laboratory have uncovered security vulnerabilities and censorship frameworks in an app all 2022 Beijing Olympics attendees must use.
The Citizen Lab, a research institute at the University of Toronto’s Munk School of Global Affairs and Public Policy that studies spyware, found a “simple but devastating” flaw in the MY2022 app that makes audio files, health and customs forms transmitting passport details, and medical and travel history vulnerable to hackers.
Researcher Jeffrey Knockel found MY2022 does not validate some SSL certificates, digital infrastructure that uses encryption to secure apps and ensures no unauthorized people can access information as it is transmitted.
This failure to validate means the app can be deceived into connecting with malicious hosts it mistakes as being trusted, allowing information the app transmits to servers to be intercepted and attackers to display fake instructions to users.
“The worst-case scenario is that someone is intercepting all the traffic and recording all the passport details, all the medical details,” said Knockel, a research associate, who investigated the app after a journalist curious about its security functions approached him.
According to the article, the organizers are requiring every single person to download this application.
The researchers also mentioned that it sends highly sensitive data, but is unclear who gets that data. This is concerning, as later in the article we learn that the IOC says that they had people check it and also asked for the research paperwork.
The update in January indicates that there were no changes to the claims talked about in the article, and that it may be worse now.
The article also talks about a keyword list which may or may not be active talking about Jews and other things being sensored. but not proven. But, the real paragraph is the kicker for this discussion.
The IOC noted it has conducted independent third-party assessments on MY2022 with two cyber-security testing organizations and found there are no critical vulnerabilities in the app.
Really? You’ve done independent reviews and this has not come up? How could this be?
Not surprisingly:
The Beijing Organizing Committee did not respond to a request for comment.
While we’re at it, there’s plenty more, so I suggest that you read the article, as every time I think about this, the angrier I get as the IOC claims its their app and wants to claim ignorance.
Oh yes, did I mention the SSL issues they talked about too? Probably not, but that’s OK, its talked about in the article.
Let the comments begin.
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.