Background
When abroad, travelers are often caught up with their itinerary and enjoying their new surroundings. Cybersecurity is the last thing on their mind. For those at the 2022 Beijing Winter Olympics, this is a cause for concern. This event will be used to explore the dangers to privacy and data when abroad.
Issue
All attendees (athletes, coaches, audience members) at the Games must download an app called MY2022 to declare their health status [1]. The main function of this app is to collect a list of medical information for health monitoring to reduce the spread of the COVID-19 virus. An abundance of personal data, such as addresses, flight details, name, phone number is passed through this app.
However, the MY2022 app has two significant flaws: failure to validate SSL certificates, and failure to encrypt sensitive data. These allow for vulnerabilities in data transmission.
The MY2022 app demonstrates a failure to validate SSL certificates, which means that although there is an encrypted communication with a host, it may be an unintended host and in fact an attacker intercepting traffic between the user and server. The app can be ‘tricked’ into transmitting to a malicious host, which can result in the compromise of confidential files or information.
The MY2022 app also fails to encrypt sensitive data before transmission. It was discovered that sensitive data is transmitted without any SSL encryption or any type of security at all [3]. This means that anyone in range of an unsecured wifi access point, operating a wifi hotspot, ISP or telecommunications company is privy to information being transmitted through the application.
Addressing the Cybersecurity Concerns
Clearly, there is more than meets the eye to the dangers of digital privacy and cybersecurity when traveling abroad as shown above. The most effective suggestion to protect visitors’ personal data from being accessed by malicious actors is to leave personal devices (phones, laptops) in home countries [2]. A burner phone can be used to fulfill the mandatory MY2022 app requirement. If personal devices are chosen to be brought, a Virtual Private Network (VPN) can also be used to encrypt internet traffic, to keep data protected from prying eyes.
There is speculation of the government intentionally sabotaging the MY2022 application encryption for surveillance reasons. This may be due to recurring evidence of local governments using data interception technology to sniff wifi traffic [3]. China does not have an upstanding track record of respecting digital privacy. Thus, it is important to be wary of government regulations and the amount of respect they have in regard to digital privacy. Furthermore, it is a reason to be cautious of using public wifi, especially unencrypted networks, and to check security protocols before connecting to them. If absolutely needed, it would be wise to avoid accessing personal accounts or sensitive data such as banking and financial information.
The main takeaway from the MY2022 Olympics situation is that being in another country poses significant risk to cybersecurity due to the potential use of unencrypted applications and networks and non-stringent regulations that allow surveillance to occur. There are many ways to keep your digital privacy intact, with leaving devices in home countries at the top of the list, while being conscious of connecting to new networks or using VPNs. Keep yourself safe when travelling!
References
[1] Blewett, T. (2022, February 3). Don’t forget your burner phone: Why cybersecurity in China is an olympic event in itself. nationalpost. Retrieved February 6, 2022, from https://nationalpost.com/sports/olympics/2022-winter-olympics-china-cybersecurity-burner-phones
[2] Cybersecurity concerns, both internal and external, Run High at Beijing Olympics. Marketplace. (n.d.). Retrieved February 6, 2022, from https://www.marketplace.org/shows/marketplace-tech/cybersecurity-concerns-both-internal-and-external-run-high-at-beijing-olympics/
[3] Knockel, J. (2022, January 21). Cross-country exposure: Analysis of the MY2022 olympics app. The Citizen Lab. Retrieved February 7, 2022, from https://citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/
[4] Yahoo! (n.d.). China is watching: Olympians go to great lengths to avoid stolen data at 2022 games. Yahoo! Sports. Retrieved February 6, 2022, from https://ca.sports.yahoo.com/news/china-is-watching-olympians-go-to-great-lengths-to-avoid-stolen-data-065952595.html
Interesting post! It’s quite unfortunate that things like this are happening, and it shows that even if an app has a lot of downloads or many people using it, that doesn’t necessarily mean it’s safe. There can be vulnerabilities anywhere, and if an individual wants to remain fully safe, they should take the time to research what they’re getting into. I hope that people become aware of the issue with this app and are able to keep their data safe from attackers by taking the precautions necessary.
Hi, this was a very useful information to hear about! I was always suspicious of public wifi’s compared to our personal wifis in our homes! With this article I learned to be even more careful with the public wifis as they could be stealing our important personal informations such as email/passwords and bank informations. From now on, when I do travel outside Canada, I will consider buying celluar data plans because I have learned that not all open networks are safe. If I do have to use open networks, I will do enough research about them and use it for my needs! Thank you for this information again!
This is a very informative post about how your personal data could be exposed due to the vulnerabilities in apps such as MY2022 as you stated in your post. It also shows that using public wifi networks could be dangerous and provide hackers with access to our personal data. Hopefully, with this post, people are more aware of the problems within the app and to take caution while using public wifi with the use of a VPN.
Interesting topic!
This really sucks for the people who ended up leaking their private information. I also read an article about a different situation where most players and coaches are using burner phones because the Chinese government has ‘crazy, scary’ spying technology that monitors calls, reads texts, tracks movements, and can spot ‘illegal’ words in private conversations.
An important thought to have while traveling! Especially when traveling to a country not known for its hospitality or respect to privacy, people need to be thinking of what they are accessing and what steps they are taking to ensure their data is secure. VPNs are an important tool to keep our data encrypted, but another important security measure, that was not mentioned, is our ‘mobile data’ which is more secure than public wifi networks.
Great post! It’s super interesting (and super disheartening) to learn just how unsafe our data actually is. Looking specifically at the data that the Olympic athletes are submitting for the MY2022 app, I’m curious what you see as being the end goal of a large actor (such as a state) in collecting health and medical data for malicious purposes. You mentioned in your post that China has a less-than-stellar reputation when it comes to respecting digital privacy. Assuming that the data collected data is lifted and kept for ulterior purposes, what do you suppose those purposes might be?
Wow this is a very interesting situation. I also heard about the FBI and the Canadian Olympic committee recommending that athletes buy a burner phone to take to the olympics. But after reading your article, it seems like that won’t address the issue of personal data being leaked through the My2022 app. Even if they have a new device, they would still be required to enter that information through the app! I really appreciate the tips you included about having a VPN while travelling in your article.
This is a very interesting post! It goes to show how the risks involved with public Wi-Fi networks and how having a VPN could really save your digital privacy. Cybersecurity is a really important aspect that more people should be aware of, especially when travelling so hopefully more people are aware and take the appropriate measures to keep their data secure.
I have a roommate who knows a Team Canada speed skater. The My2022 app seems to be the least of their problems. Apparently, athletes travelling to Beijing were instructed to bring a burner phone, and to avoid using cellular data outside of the Olympic village, because Canadian intelligence suspected that attackers would be waiting for foreign athletes, and could somehow compromise phones just by the phone being connected to cellular data. It makes one think that perhaps even the cellular service companies were in on these suspected attacks, given that such a method of attack seems improbable unless one had access to critical points in the cellular connection service. Cell security, especially in foreign countries seems to be getting worse; I’ve heard some foreigners have found Cryptocurrency miners on their phones after traveling to mainland china; perhaps attackers wanted to use the unaware athletes to mine some coins. Either way, you’re right: travelers make for easy prey when it comes to cybersecurity, and organized events like the Olympics allow attackers to prepare in advance for their victims. Maybe if you’re an athlete its better to bring a pager or something. Thank you for the post, it is good to hear that the rumors I picked up turn out to be grounded in reality.
Hey, I think this was a great post. I know that Olympic Winter Games in China has been clouded with suspicion due to the recent rise in global tension. With the idea that many athletes all around the world are participating in the games, they are vulnerable to attack. Additionally, it could also be seen as an honest mistake on the part of the Government. However, as you mentioned that China does not have a good track record in respecting digital privacy, it could also be suggested that it was intentional and the state really wants to gather as much data as possible. A funny story that comes to my mind is when Macron (president of France) met with Putin to discuss Ukraine, he refused the covid swap on the basis that his DNA would be stolen. You cannot make this up and you can check the story out here: https://www.bbc.com/news/world-europe-60346300. Likewise, it would make sense for this privacy concern to be addressed and taken care of. However, your post is great and good work!
This was an interesting and information post!
I have always been cautious when using public Wi-Fi, but after reading this post and others on the same subject, I’ve been much more so. The risks are too high to save a few megabytes of mobile data. So I also believe that using a VPN while traveling is a good idea; do your research to pick a reputable one, and paying for a subscription does not hurt because it will safeguard your personal data and credentials.
Great Topic!
Issues such as incomplete or nonexistent encryption have long plagued China’s tech industry, which is tasked with the challenging double duty of protecting consumer data while also sharing it with government censors and surveillance.
Good Post! I’m commenting at a time near the end of the course, as a result, we’ve covered the unit regarding Web-security. During this unit, we learned about the importance of SSL and TLS certificates and the essential security they provide. The fact that this app doesn’t validate its certificates is a huge red flag and I’m suspicious of China for even suggesting the use of a software that doesn’t validate its certificates, much less make it mandatory for all those who attend the Olympics. Given China’s track record of not respecting digital privacy, I would not be surprised if this was intentionally done in order to farm information from the visitors to the Olympics.