Researchers at a Toronto-based tech laboratory have uncovered security vulnerabilities and censorship frameworks in an app all 2022 Beijing Olympics attendees must use.
The Citizen Lab, a research institute at the University of Toronto’s Munk School of Global Affairs and Public Policy that studies spyware, found a “simple but devastating” flaw in the MY2022 app that makes audio files, health and customs forms transmitting passport details, and medical and travel history vulnerable to hackers.
Researcher Jeffrey Knockel found MY2022 does not validate some SSL certificates, digital infrastructure that uses encryption to secure apps and ensures no unauthorized people can access information as it is transmitted.
This failure to validate means the app can be deceived into connecting with malicious hosts it mistakes as being trusted, allowing information the app transmits to servers to be intercepted and attackers to display fake instructions to users.
“The worst-case scenario is that someone is intercepting all the traffic and recording all the passport details, all the medical details,” said Knockel, a research associate, who investigated the app after a journalist curious about its security functions approached him.
WATCH | Explaining security flaws in the Beijing Olympics app:
Explaining the security flaw & censorship framework found in ‘My2022’ Beijing Olympic app
12 hours ago
Duration 4:45
The Citizen Lab, a socio-political research group from the University of Toronto’s Munk School of Global Affairs & Public Policy, found the Beijing 2022 companion app, to be used by Olympians and other attendees of the Games, has a security flaw that opens up any user’s personal data to hackers. David Masson, chair of enterprise security at Darktrace, joined to explain the potential dangers of the app to its users. 4:45
Olympic organizers have required all games attendees, including athletes, spectators and media members, to download and start using the MY2022 app for submitting health and customs information like COVID-19 test results and vaccination status at least 14 days ahead of their arrival in China.
The app from a state-owned company called Beijing Financial Holdings Group also offers GPS navigation and text, video and audio chat functions and the ability to transfer files and provide news and weather updates.
Knockel found it’s unclear with whom the app shares highly sensitive medical information.
Censorship keyword list
The Olympic playbook outlines personal data such as biographical information and health-related data may be processed by Beijing 2022, International Olympic and Paralympic committees, Chinese authorities and “others involved in the implementation of the [COVID-19] countermeasures.”
Knockel said MY2022 outlines several scenarios where it will disclose personal information without user consent, which include but are not limited to national security matters, public health incidents, and criminal investigations.
However, the app does not specify whether court orders will be required to gain access to this information and who will be eligible to receive data.
WATCH | Cybersecurity experts at UofT voice concerns about Beijing Olympics app:
Cybersecurity experts concerned about 2022 Beijing Olympics app
19 hours ago
Duration 3:44
Cybersecurity experts at the University of Toronto are voicing concerns about the My2022 app, which is required for all participants in the Beijing Winter Olympics. 3:44
The final concern Knockel uncovered was that the app allows users to report “politically sensitive” content and found it has a censorship keyword list.
The list includes 2,442 political terms, including some linked to tensions in Xinjiang and Tibet, as well as references to Chinese government agencies. On the list are Chinese phrases translating to “Jews are pigs” and “Chinese are all dogs,” Uyghur terms for “the Holy Quran” and Tibetan words referring to the Dalai Lama.
Knockel couldn’t find evidence the list was being used by the app.
“We don’t know whether they intended for it to be inactive or whether they intended for it to be active, but either way, it’s something that … can be enabled at the flick of a switch,” said Knockel.
The Citizen Lab disclosed the concerns it found with MY2022 to organizing committees on Dec. 3, giving them 15 days to respond and 45 days to fix the issues, before it publicly disclosed the problems.
IOC requests copy of lab report
A new version of MY2022 for iOS users was released on Jan. 6, but Citizen Lab said no issues were resolved with the update. In fact, Citizen Lab said the update introduced a new “Green Health Code” feature that collects more medical data and is vulnerable to attacks because of its lack of SSL certificate validation.
The Beijing Organizing Committee did not respond to a request for comment.
The International Olympic Committee said in a statement that it has requested a copy of the Citizen Lab’s report to better understand its concerns.
The IOC noted it has conducted independent third-party assessments on MY2022 with two cyber-security testing organizations and found there are no critical vulnerabilities in the app.
Meanwhile, the Canadian Olympic Committee did not address the report specifically, but said it has reminded all members of Team Canada that the Games present a unique opportunity for cybercrime and they should be extra diligent about these risks.
It said in a statement it has recommended Team Canada members leave personal devices at home, limit personal information stored on electronics brought to the Games, only connect to official Wi-Fi, turn off transmitting functions when not in use and remove any Games related apps when they’re no longer necessary.
Knockel recommends anyone headed to the Olympics only use the app when connected to networks they trust, like a virtual private network.
Olympic participants should also consider taking conversations and other actions that are not mandatory to complete in MY2022 to other apps with better security, he said.
“But it’s tricky,” he said. “Even if they are aware of the security vulnerabilities in the app, they might not have a choice.”
MIAMI GARDENS, Fla. (AP) — The Miami Dolphins will bring in another quarterback while starter Tua Tagovailoa deals with his latest concussion, coach Mike McDaniel said Friday.
For now, Skylar Thompson will be considered the Dolphins’ starter while Tagovailoa is sidelined. Tagovailoa left Thursday night’s 31-10 loss to Buffalo in the third quarter with the third known concussion of his NFL career, all of them coming in the last 24 months.
“The team and the organization are very confident in Skylar,” McDaniel said.
McDaniel said the team has not made any decision about whether to place Tagovailoa on injured reserve. Tagovailoa was expected at the team facility on Friday to start the process of being evaluated in earnest.
“We just have to operate in the unknown and be prepared for every situation,” McDaniel said, noting that the only opinions that will matter to the team will be the ones from Tagovailoa and the medical staff.
McDaniel added that he doesn’t see Tagovailoa playing in Miami’s next game at Seattle on Sept. 22.
“I have no idea and I’m not going to all of a sudden start making decisions that I don’t even see myself involved in the most important parts of,” McDaniel added. “All I’m telling Tua is everyone is counting on you to be a dad and be a dad this weekend. And then we’ll move from there. There won’t be any talk about where we’re going in that regard … none of that will happen without doctors’ expertise and the actual player.”
Tagovailoa was 17 for 25 passing for 145 yards, with one touchdown and three interceptions — one of which was returned for a Buffalo score — when he got hurt. Thompson completed eight of 14 passes for 80 yards.
Thompson said he feels “fully equipped” to run the Dolphins’ offense.
“What’s going to lie ahead, who knows, but man, I’m confident, though,” Thompson said after Thursday’s game. “I feel like I’m ready for whatever’s to come. I’m going to prepare and work hard and do everything I can to lead this team and do my job.”
Montreal Alouettes wide receiver Tyson Philpot has announced he will be out for the rest of the CFL season.
The Delta, B.C., native posted the news on his Instagram page Thursday.
“To Be Continued. Shoutout my team, the fans of the CFL and the whole city of Montreal! I can’t wait to be back healthy and write this next chapter in 2025,” the statement read.
Philpot, 24, injured his foot in a 33-23 win over the Hamilton Tiger-Cats on Aug. 10 and was placed on the six-game injured list the next week.
The six-foot-one, 195-pound receiver had 58 receptions, 779 yards and five touchdowns in nine games for the league-leading Alouettes in his third season.
Philpot scored the game-winning touchdown in Montreal’s Grey Cup win last season to punctuate a six-reception, 63-yard performance.
This report by The Canadian Press was first published Sept. 12, 2024.
NAPA, Calif. (AP) — David Lipsky shot a 7-under 65 on Thursday at Silverado Country Club to take a one-stroke lead after the first round of the Procore Championship.
Winless in 104 events since joining the PGA Tour in 2022, Lipsky went out with the early groups and had eight birdies with one bogey to kick off the FedEx Cup Fall series at the picturesque course in the heart of Napa Valley wine country.
After missing the cut in his three previous tournaments, Lipsky flew from Las Vegas to Arizona to reunite with his college coach at Northwestern to get his focus back. He also spent time playing with some of the Northwestern players, which helped him relax.
“Just being around those guys and seeing how carefree they are, not knowing what’s coming for them yet, it’s sort of nice to see that,” Lipsky said. “I was almost energized by their youthfulness.”
Patton Kizzire and Mark Hubbard were a stroke back. Kizzire started on the back nine and made a late run with three consecutive birdies to move into a tie for first. A bogey on No. 8 dropped him back.
“There was a lot of good stuff out there today,” Kizzire said. “I stayed patient and just went through my routines and played well, one shot at a time. I’ve really bee working hard on my mental game and I think that allowed me to rinse and repeat and reset and keep playing.”
Mark Hubbard was at 67. He had nine birdies but fell off the pace with a bogey and triple bogey on back-to-back holes.
Kevin Dougherty also was in the group at 67. He had two eagles and ended his afternoon by holing out from 41 yards on the 383-yard, par-4 18th.
Defending champion Sahith Theegala had to scramble for much of his round of 69.
Wyndham Clark, who won the U.S. Open in 2023 and the AT&T at Pebble Beach in February, had a 70.
Max Homa shot 71. The two-time tournament champion and a captain’s pick for the President’s Cup in two weeks had two birdies and overcame a bogey on the par-4 first.
Stewart Cink, the 2020 winner, also opened with a 71. He won The Ally Challenge last month for his first PGA Tour Champions title.
Three players from the Presidents Cup International team had mix results. Min Woo Lee shot 68, Mackenzie Hughes of Dundas, Ont., 69 and Corey Conners of Listowel, Ont., 73. International team captain Mike Weir of Brights Grove, Ont., also had a 69.
Ben Silverman of Thornhill, Ont., had a 68, Nick Taylor of Abbotsford, B.C., and Roger Sloan of Merritt, B.C., shot 70 and Adam Svensson of Surrey, B.C., had a 71.
Lipsky was a little shaky off the tee for much of the afternoon but made up for it with steady iron play that left him in great shape on the greens. He had one-putts on 11 holes and was in position for a bigger day but left five putts short.
Lipsky’s only real problem came on the par-4 ninth when his approach sailed into a bunker just shy of the green. He bounced back nicely with five birdies on his back nine. After missing a 19-foot putt for birdie on No. 17, Lipsky ended his day with a 12-foot par putt.
That was a big change from last year when Lipsky tied for 30th at Silverado when he drove the ball well but had uneven success on the greens.
“Sometimes you have to realize golf can be fun, and I think I sort of forgot that along the way as I’m grinding it out,” Lipsky said. “You’ve got to put things in perspective, take a step back. Sort of did that and it seems like it’s working out.”
Laird stayed close after beginning his day with a bogey on the par-4 10th. The Scot got out of the sand nicely but pushed his par putt past the hole.
Homa continued to have issues off the tee and missed birdie putts on his final four holes.
