TORONTO —
Researchers at a Toronto-based tech laboratory have uncovered security vulnerabilities and censorship frameworks in an app all 2022 Beijing Olympics attendees must use.
The Citizen Lab, a research institute at the University of Toronto’s Munk School of Global Affairs and Public Policy that studies spyware, found a “simple but devastating” flaw in the MY2022 app that makes audio files, health and customs forms transmitting passport details, and medical and travel history vulnerable to hackers.
Researcher Jeffrey Knockel found ‘MY2022’ does not validate some SSL certificates, digital infrastructure that uses encryption to secure apps and ensures no unauthorized people can access information as it is transmitted.
This failure to validate means the app can be deceived into connecting with malicious hosts it mistakes as being trusted, allowing information the app transmits to servers to be intercepted and attackers to display fake instructions to users.
“The worst case scenario is that someone is intercepting all the traffic and recording all the passport details, all the medical details,” said Knockel, a research associate, who investigated the app after a journalist curious about its security functions approached him.
Olympic organizers have required all games attendees, including athletes, spectators and media members, to download and start using the MY2022 app for submitting health and customs information like COVID-19 test results and vaccination status at least 14 days ahead of their arrival in China.
The app from a state-owned company called Beijing Financial Holdings Group also offers GPS navigation and text, video and audio chat functions and the ability to transfer files and provide news and weather updates.
Knockel found it’s unclear with whom the app shares highly-sensitive medical information.
The Olympic playbook outlines that personal data such as biographical information and health-related data may be processed by Beijing 2022, International Olympic and Paralympic committees, Chinese authorities and “others involved in the implementation of the (COVID-19) countermeasures.”
Knockel say MY2022 outlines several scenarios where it will disclose personal information without user consent, which include but are not limited to national security matters, public health incidents, and criminal investigations.
However, the app does not specify whether court orders will be required to gain access to this information and who will be eligible to receive data.
The final concern Knockel uncovered was that the app allows users to report “politically sensitive” content and found it has a censorship keyword list.
The list includes 2,442 political terms, including some linked to tensions in Xinjiang and Tibet, as well as references to Chinese government agencies. On the list are Chinese phrases translating to “Jews are pigs” and “Chinese are all dogs,” Uyghur terms for “the Holy Quran” and Tibetan words referring to the Dalai Lama.
Knockel couldn’t find evidence that the list was being used by the app.
“We don’t know whether they intended for it to be inactive or whether they intended for it to be active, but either way, it’s something that….can be enabled at the flick of a switch,” said Knockel.
The Citizen Lab disclosed the concerns it found with MY2022 to organizing committees on Dec. 3, giving them 15 days to respond and 45 days to fix the issues, before it publicly disclosed the problems.
A new version of MY2022 for iOS users was released on Jan. 6, but Citizen Lab said no issues were resolved with the update. In fact, Citizen Lab said the update introduced a new “Green Health Code” feature that collects more medical data and is vulnerable to attacks because of its lack of SSL certificate validation.
Knockel recommends anyone headed to the Olympics only use the app when connected to networks they trust, like a virtual private network (VPN).
Olympic participants should also consider taking conversations and other actions that are not mandatory to complete in MY2022 to other apps with better security, he said.
“But it’s tricky,” he said. “Even if they are aware of the security vulnerabilities in the app, they might not have a choice.”
This report by The Canadian Press was first published Jan. 18, 2022
TORONTO – Reigning PWHL MVP and scoring champ Natalie Spooner will miss the start of the regular season for the Toronto Sceptres, general manager Gina Kingsbury announced Tuesday on the first day of training camp.
The 33-year-old Spooner had knee surgery on her left anterior cruciate ligament (ACL) after she was checked into the boards by Minnesota’s Grace Zumwinkle in Game 3 of their best-of-five semifinal series on May 13.
She had a goal and an assist in three playoff games but did not finish the series. Toronto was up 2-1 in the semifinal at that time and eventually fell 3-2 in the series.
Spooner led the PWHL with 27 points in 24 games. Her 20 goals, including five game-winners, were nine more than the closest skater.
Kingsbury said there is no timeline, as the team wants the Toronto native at 100 per cent, but added that “she is doing really well” in her recovery.
The Sceptres open the PWHL season on Nov. 30 when they host the Boston Fleet.
This report by The Canadian Press was first published Nov. 12, 2024.
LAHORE, Pakistan (AP) — A top official of the Pakistan Cricket Board declined Friday to confirm media reports that India has decided against playing any games in host Pakistan during next year’s Champions Trophy.
“My view is if there’s any problems, they (India) should tell us in writing,” PCB chairman Mohsin Naqvi told reporters in Lahore. “I’ll share that with the media as well as with the government as soon as I get such a letter.”
Indian media reported Friday that the Board of Control for Cricket in India (BCCI) has communicated its concerns to all the Champions Trophy stakeholders, including the PCB, over the Feb. 19-March 9 tournament and would not play in arch-rival Pakistan.
The Times of India said that “Dubai is a strong candidate to host the fixtures involving the Men in Blue” for the 50-over tournament.
Such a solution would see Pakistan having to travel to a neutral venue to play India in a group match, with another potential meeting later in the tournament if both teams advanced from their group. The final is scheduled for March 9 in Pakistan with the specific venue not yet decided.
“Our stance is clear,” Naqvi said. “They need to give us in writing any objections they may have. Until now, no discussion of the hybrid model has happened, nor are we prepared to accept one.”
Political tensions have stopped bilateral cricket between the two nations since 2008 and they have competed in only multi-nation tournaments, including ICC World Cups.
“Cricket should be free of politics,” Naqvi said. “Any sport should not be entangled with politics. Our preparations for the Champions Trophy will continue unabated, and this will be a successful event.”
The PCB has already spent millions of dollars on the upgrade of stadiums in Karachi, Lahore and Rawalpindi which are due to host 15 Champions Trophy games. Naqvi hoped all the three stadiums will be ready over the next two months.
“Almost every country wants the Champions Trophy to be played here (in Pakistan),” Naqvi said. “I don’t think anyone should make this a political matter, and I don’t expect they will. I expect the tournament will be held at the home of the official hosts.”
Eight countries – Pakistan, India, Bangladesh, England, Australia, South Africa, New Zealand and Afghanistan – are due to compete in the tournament, the schedule of which is yet to be announced by the International Cricket Council.
“Normally the ICC announces the schedule of any major tournament 100 days before the event, and I hope they will announce it very soon,” Naqvi said.
RIYADH, Saudi Arabia – Ottawa‘s Gabriela Dabrowski and Erin Routliffe of New Zealand are through to the doubles final at the WTA Finals after a 7-6 (7), 6-1 victory over Nicole Melichar-Martinez of the United States and Australia’s Ellen Perez in semifinal action Friday.
Dabrowski and Routliffe won a hard-fought first set against serve when Routliffe’s quick reaction at the net to defend a Perez shot gave the duo set point, causing Perez to throw down her racket in frustration.
The second seeds then cruised through the second set, winning match point on serve when Melichar-Martinez couldn’t handle Routliffe’s shot.
The showdown was a rematch of last year’s semifinal, which Melichar-Martinez and Perez won in a super tiebreak.
Dabrowski and Routliffe will face the winner of a match between Katerina Siniakova and Taylor Townsend, and Hao-Ching Chan and Veronika Kudermetova in the final on Saturday.
Dabrowski is aiming to become the first Canadian to win a WTA Finals title.
This report by The Canadian Press was first published Nov. 8, 2024.
