When asked to write about the Winter Olympic Games this year, I immediately thought about my alpine holiday in Niseko. Those fun-and-games were two years ago, and little did I know I would not be setting my feet on a slope till…I have no idea when (thank you, COVID-19). It looks like the 2022 Winter Olympics hosted by the People’s Republic of China (PRC) will be the closest to winter sports I’ll ever be. Instead of lamenting about my missed winter sporting opportunities, I will focus on some cyber-security issues that generally come hand-in-hand with major sporting events, especially the Olympic Winter Games in Beijing this year.
Just why does Beijing 2022 matter?
For the record, this is not the PRC’s first rodeo with regards to Olympic games. The country had experience in 2008 when it hosted the Summer Olympics. Clearly a lot has changed during those 14 years.
Geopolitical events are crucial when understanding cyber threats and their risks, because these developments often influence the conduct and trajectory of cyber activity. Just last year, Stefano postulated the type of cyber threats associated with the UEFA EURO 2020 Championship (joke’s on him, the greatest threat was…his nationality) and discussed some risks associated with the Tokyo 2020 Olympic Games. These events attract large viewership and are essentially a prime stage for showing the world what you’re made of, which often include sending politically charged or ideologically motivated messages.
The cyber threats affecting those two events are just as valid and applicable to the 2022 Winter Olympics in Beijing. This time, we’re going to delve a little deeper into some of the controversies and considerations arising from the event set to commence on 04 Feb 2022.
Diplomatic hot potato
The International Olympic Committee’s (IOC) decision to award the PRC as host to the Winter Olympics is not without controversies. The PRC has often come under fire for its human rights violations and atrocities against the Uighur community in its territory, particularly in the Xinjiang region. These allegations have gotten more and more pronounced in the last five years or so. The West has frequently used the PRC’s genocide as a political rallying point, citing the PRC’s poor track record on human rights issues to halt or turn down agreements.
With the Winter Olympics, calls for the PRC to address these human rights concerns have once again surfaced. On the PRC’s part, the Chinese Communist Party’s stance towards these concerns are consistent; when confronted by other countries about these allegations, the PRC defers to the same public relation tactics: it regards these comments as interference from external parties, and does not pay heed to such advice. The party line is that foreign actors have no rights to make these demands. It has also defended its actions in Xinjiang as re-education rather than genocide.
Another human rights issue that has come up time and time again is the crackdown on Hong Kong’s political freedom. More recently, these concerns have extended to Chinese tennis player Peng Shuai’s disappearance, after she made sexual accusations against a top government official in the PRC. Peng Shuai has since returned into the public spotlight and retracted her allegations; many have suggested this is due to pressure from officials in the PRC.
Over these human rights concerns, some countries have initiated a diplomatic boycott of Beijing 2022. The US, the UK, and Australia are among such countries. Unlike a complete boycott of the event, a diplomatic boycott is markedly strategic. It entails a partial embargo of the event, where government representatives will not attend Beijing 2022. However, their national athletes will still participate and compete in the games. It is a win-win arrangement where countries can air their displeasure without snuffing the games entirely and antagonizing the host country. Whether this diplomatic boycott is genuinely worth its salt at pushing the PRC to improve its human rights score is another conversation altogether
Will this really result in some PRC-initiated cyber activity? Maybe, maybe not. Haters gonna hate, but the PRC does not take too kindly to their critics and has targeted its naysayers in cyber espionage operations. The US-PRC trade war is among the many instances the PRC has done so. But the US is not the only detractor. In March 2021, the Finnish Security Intelligence Service (Supo) attributed an attack that targeted the Finnish parliament to the PRC-linked “APT31”. Reasons behind the attack weren’t obvious, but were likely to be related to Finland-PRC developments such as Finland’s involvement in the PRC’s Belt and Road Initiative, Finland’s opposition to the PRC’s national security law in Hong Kong, and/or Finland’s rejection of a PRC offer to lease an airport in northern Finland for research flights.
With Beijing 2022 being a matter of prestige and “面子” (mian-zi), the PRC is probably going to far ends to ensure the smooth conduct of the event. That means information gathering to stay one step ahead of the potential hindrance, especially interference from foreign parties, is likely to occur.
My2022 App insecurities
Besides watching geopolitical relations unfold on the sporting stage, there are other areas of cyber-security concerns regarding the Winter Olympics. Already, the official mobile app for Beijing 2022, also named “My2022”, was problematic. The app is intended to process athletes’ health and travel data but has unwittingly come with its slew of flaws.
For starters, the app’s security was insufficient when protecting user data. Cyber-security researchers at Citizen Lab had found that My2022 ran into privacy and data security issues, especially when the app collected excessive amounts of data, such as WLAN status, device identifiers and model, cellular service provider information, apps installed on the device, audio data, and device storage access. Basically everything. The app is also used to submit health customs information necessary for those entering the PRC from abroad, which means such personal data is susceptible to exposure too.
But My2022 security issues don’t end there. Flaws in the Secure Sockets Layer (SSL)-based encryption used in My2022 also potentially exposes a device to unverified connections. In this aspect, researchers have found that My2022 doesn’t necessarily verify that the servers where data is being transmitted are the intended servers, and an attacker can intercept data sent from My2022. This essentially makes a device vulnerable to a man-in-the-middle attack. Even more worrying is discovering that data transmitted from the app is not always encrypted. All it takes is some network packet interception before some ill-intentioned user potentially obtains the data in plaintext form.
Overall, odd, considering that the CCP has taken its domestic technology firms to task over the excessive collection of data. When considering the recent implementation of laws like the Personal Information Protection Law (PIPL), My2022 is undoubtedly violating some of the government’s own ground rules.
But before you vilify Chinese apps and technology and avoid them altogether, the security issues in My2022 are not particularly surprising for apps developed by other organizations either.
Wider risks of operating in the PRC
Even though My2022 is a Chinese app, its flaws and vulnerabilities are likely to impact even foreigners. All participants – athletes, the media, spectators – in Beijing 2022 have to use the app, which is supposedly used in COVID-19 ringfencing efforts (the PRC is currently pursuing a zero-COVID policy). Considering the high—well, as high as it would get during a pandemic—global participation rate, foreign users too are likely to be impacted by My2022 flaws.
Do not panic just yet. You need not sweat buckets over these security issues and downloading the app certainly doesn’t put you in grave danger. If anything, the issues found in My 2022 are unlikely placed there intentionally to enable state surveillance; they are more likely due to shoddy design or poor app development. Athletes or the press members using My2022 are no more likely to be monitored by the PRC than regular travelers. For these users using My2022 to log their health data, there is essentially no heightened risk as the authorities in the PRC would be collecting such information at ports of entry anyway; this is no different in any other country, which has mandated health and vaccination declarations for all visitors especially during a pandemic.Not being at a higher risk of surveillance doesn’t absolve one from surveillance in the PRC completely though.
As a whole, these concerns do spark discussion about the broader implications of operating in the PRC. It is no secret that the PRC uses technology to conduct surveillance and monitoring within its territories; it is this same concern that drove all that discourse around the use of Chinese-developed technology like TikTok and Huawei equipment. When in PRC territory and using the government’s apps and networks, all data transmitted locally islikely to end up in the hands of the authorities. Domestically, there are laws to facilitate that; besides the PIPL, there are also the Cyber-security Law (CSL) and Data Security Law.
In terms of surveillance, Big Brother is already watching on a regular basis in Chinese territories. With the Olympics remaining a matter of dignity for the PRC, a greater level of such monitoring can be expected. No country would embrace sabotage with open arms, which is definitely not the case for the PRC.
It’s tough to completely mitigate these data collection and surveillance activities, even more so in the PRC. One should assume that all data—which can include emails, SMSes, app data—can be compromised when operating in the PRC. Short-term measures when visiting the PRC should encompass using burner devices, like temporary or disposable laptops or mobile phones, and wiping all data from those equipment before and after traveling to the PRC. This is what some participating countries in Beijing 2022 have done.
In any case, it looks like we’re participating in a biathlon—a long and sometimes unbalanced journey, with hits and misses along the way.
Threat intelligence isn’t always about IOCs and attributing attacks to a specific actor. Understanding geopolitical developments do go a long way in contextualizing the activities occurring in the digital space. Here at Digital Shadows, the Photon Research Team assesses the risks and cyber threats that come with high-profile global events and looks at the wider cyber-security concerns. This includes understanding the operational risks associated with a country and better dealing with or mitigating some of these exposure. Take a customized demo of SearchLight with us, and let us show you how to better equip yourselves against cyber threats out there.