Connect with us

International

Toronto lab finds security vulnerabilities, censorship framework in Olympic app

Published

6 minute read

TORONTO — Researchers at a Toronto-based tech laboratory have uncovered security vulnerabilities and censorship frameworks in an app all 2022 Beijing Olympics attendees must use.

The Citizen Lab, a research institute at the University of Toronto’s Munk School of Global Affairs and Public Policy that studies spyware, found a “simple but devastating” flaw in the MY2022 app that makes audio files, health and customs forms transmitting passport details, and medical and travel history vulnerable to hackers.

Researcher Jeffrey Knockel found MY2022 does not validate some SSL certificates, digital infrastructure that uses encryption to secure apps and ensures no unauthorized people can access information as it is transmitted.

This failure to validate means the app can be deceived into connecting with malicious hosts it mistakes as being trusted, allowing information the app transmits to servers to be intercepted and attackers to display fake instructions to users.

“The worst case scenario is that someone is intercepting all the traffic and recording all the passport details, all the medical details,” said Knockel, a research associate, who investigated the app after a journalist curious about its security functions approached him.

Olympic organizers have required all games attendees, including athletes, spectators and media members, to download and start using the MY2022 app for submitting health and customs information like COVID-19 test results and vaccination status at least 14 days ahead of their arrival in China.

The app from a state-owned company called Beijing Financial Holdings Group also offers GPS navigation and text, video and audio chat functions and the ability to transfer files and provide news and weather updates.

Knockel found it’s unclear with whom the app shares highly-sensitive medical information.

The Olympic playbook outlines that personal data such as biographical information and health-related data may be processed by Beijing 2022, International Olympic and Paralympic committees, Chinese authorities and “others involved in the implementation of the (COVID-19) countermeasures.”

Knockel say MY2022 outlines several scenarios where it will disclose personal information without user consent, which include but are not limited to national security matters, public health incidents, and criminal investigations.

However, the app does not specify whether court orders will be required to gain access to this information and who will be eligible to receive data.

The final concern Knockel uncovered was that the app allows users to report “politically sensitive” content and found it has a censorship keyword list.

The list includes 2,442 political terms, including some linked to tensions in Xinjiang and Tibet, as well as references to Chinese government agencies. On the list are Chinese phrases translating to “Jews are pigs” and “Chinese are all dogs,” Uyghur terms for “the Holy Quran” and Tibetan words referring to the Dalai Lama.

Knockel couldn’t find evidence that the list was being used by the app.

“We don’t know whether they intended for it to be inactive or whether they intended for it to be active, but either way, it’s something that….can be enabled at the flick of a switch,” said Knockel.

The Citizen Lab disclosed the concerns it found with MY2022 to organizing committees on Dec. 3, giving them 15 days to respond and 45 days to fix the issues, before it publicly disclosed the problems.

A new version of MY2022 for iOS users was released on Jan. 6, but Citizen Lab said no issues were resolved with the update. In fact, Citizen Lab said the update introduced a new “Green Health Code” feature that collects more medical data and is vulnerable to attacks because of its lack of SSL certificate validation.

The Beijing Organizing Committee did not respond to a request for comment.

The International Olympic Committee said in a statement that it has requested a copy of the Citizen Lab’s report to better understand its concerns.

The IOC noted it has conducted independent third-party assessments on MY2022 with two cyber-security testing organizations and found there are no critical vulnerabilities in the app.

Meanwhile, the Canadian Olympic Committee did not address the report specifically, but said it has reminded all members of Team Canada that the Games present a unique opportunity for cybercrime and they should be extra diligent about these risks.

It said in a statement that it has recommended Team Canada members leave personal devices at home, limit personal information stored on electronics brought to the Games, only connect to official Wi-Fi, turn off transmitting functions when not in use and remove any Games related apps when they’re no longer necessary.

Knockel recommends anyone headed to the Olympics only use the app when connected to networks they trust, like a virtual private network (VPN).

Olympic participants should also consider taking conversations and other actions that are not mandatory to complete in MY2022 to other apps with better security, he said.

“But it’s tricky,” he said.  “Even if they are aware of the security vulnerabilities in the app, they might not have a choice.”

This report by The Canadian Press was first published Jan. 18, 2022.

Tara Deschamps, The Canadian Press

Storytelling is in our DNA. We provide credible, compelling multimedia storytelling and services in English and French to help captivate your digital, broadcast and print audiences. As Canada’s national news agency for 100 years, we give Canadians an unbiased news source, driven by truth, accuracy and timeliness.

Follow Author

International

DHS pauses disinformation board amid free speech questions

Published on

WASHINGTON (AP) — The Department of Homeland Security paused its new disinformation governance board Wednesday and its board’s director will resign, following weeks of criticism from Republicans and questions about whether the board would impinge on free speech rights.

While the board was not formally shuttered, it will be reviewed by members of a DHS advisory council that’s expected to make recommendations in 75 days. Nina Jankowicz, picked to lead the board, wrote in her resignation letter that the board’s future was “uncertain,” according to her letter, obtained by The Associated Press.

Federal and state agencies treat disinformation as a national security threat. But the new board was hampered from the start by questions about its purpose and an uneven rollout that further confused its mission. The phrase “Ministry of Truth” — a reference to George Orwell’s “1984” — has repeatedly trended online in discussions about the board.

Some of the attacks on Jankowicz have used sexist and anti-Semitic slurs. A Fox News personality recently questioned whether Jankowicz should have agreed to lead the board while pregnant.

The Washington Post first reported the board would be paused.

Conservative pundits and right-leaning media have often focused directly on Jankowicz, a researcher on Russian disinformation named to lead the board. Critics have pointed to statements made by Jankowicz that questioned the provenance of a laptop said to belong to Hunter Biden, the president’s eldest son, and replayed a TikTok video she taped about disinformation to the tune of a song from “Mary Poppins.”

DHS officials have described the board as an internal working group intended to study definitions of disinformation across the department. They have not explained why they chose Jankowicz, who is not a lawyer and had a well-known public profile.

Supporters of Jankowicz have accused the department of not doing enough to protect her from trolls and online attacks.

“It is deeply disappointing that mischaracterizations of the board became a distraction from the Department’s vital work, and indeed, along with recent events globally and nationally, embodies why it is necessary,” Jankowicz wrote in her resignation letter.

Russia has tried to influence the last two presidential elections by boosting false stories and using social media to inflame divisions in American society on issues like race and the coronavirus pandemic. It has continued to spread false and misleading narratives about its invasion of Ukraine. U.S. intelligence officials have also accused China and Iran of peddling disinformation to Americans.

Experts on disinformation warned the controversy around the board could hurt existing efforts to identify and stop the spread of false narratives about elections and hot-button issues in American society. DHS has several ongoing programs to counter disinformation, including the U.S. Cybersecurity and Infrastructure Security Agency’s efforts to debunk claims of election fraud.

Some speculated the board was developed by DHS in response to billionaire Elon Musk’s plan to buy Twitter, driven in part by a desire to loosen the platform’s rules around tweets. Others put out false claims that Jankowicz planned to edit the tweets of everyday Twitter users.

Homeland Security Secretary Alejandro Mayorkas announced the creation of the board in late April, saying it would highlight Russian disinformation and false claims that encourage people to migrate to the U.S.-Mexico border. The board was immediately controversial, with Republican lawmakers questioning whether President Joe Biden’s administration was trying to police narratives it opposed.

The top Republicans on two key congressional oversight committees said they had a “complete lack of information about this new initiative.” And Mayorkas was attacked repeatedly over the board in recent appearances on Capitol Hill. Sen. Mitt Romney, a Utah Republican, told Mayorkas the board was a “terrible idea” that “communicates to the world that we’re going to be spreading propaganda in our own country.”

DHS also faced the prospect of a lawsuit. Twenty Republican attorneys general, led by Jason Miyares of Virginia, threatened Mayorkas with legal action “unless you turn back now and disband this Orwellian Disinformation Governance Board immediately,” Miyares said in a statement.

Nomaan Merchant And Amanda Seitz, The Associated Press

Continue Reading

Crime

Buffalo suspect: Lonely, isolated — and a sign of trouble

Published on

By Bernard Condon And Michael Hill in Conklin

CONKLIN, N.Y. (AP) — In the waning days of Payton Gendron’s COVID-19-altered senior year at Susquehanna Valley High School, he logged on to a virtual learning program in economics class that asked: “What do you plan to do when you retire?”

“Murder-suicide,” Gendron typed.

Despite his protests that it was all a joke, the bespectacled 17-year-old who had long been viewed by classmates as a smart loner was questioned by state police over the possible threat and then taken into custody and to a hospital for a psychiatric evaluation under a state mental health law.

But a day and a half later, he was released. And two weeks after that, he was allowed to participate in graduation festivities, including riding in the senior parade, where he was photographed atop a convertible driven by his father and festooned with yellow-and-blue balloons and signs reading, “Congratulations” and “Payton Gendron.”

That account of Gendron’s brush with the law last spring, according to authorities and other people familiar with what happened, emphasized the same point school officials made in a message to parents at the time: An investigation found no specific, credible threat against the school or any individual from that sign of trouble.

That same young white man bought a Bushmaster XM-15 rifle, traveled three hours to Buffalo and went on what authorities say was a racist, livestreamed shooting rampage Saturday in a crowded supermarket that left 10 Black people dead.

Gendron, now 18, was arraigned on a state murder charge over the weekend and a court-appointed public defender entered a not guilty plea on his behalf. He remained jailed under suicide watch as federal prosecutors contemplate hate-crime charges.

Even as the FBI swarmed the comfortable home where Gendron lived with his parents and two younger brothers, neighbors and classmates in this community of 5,000 near the New York-Pennsylvania line say they saw no inkling of the young man now being described on television.

And they say they saw nothing of the kind of racist rhetoric seen in a 180-page online diatribe, purportedly written by Gendron, in which he describes in minute detail how he researched ZIP codes with the highest concentrations of Black people, surveilled the Tops supermarket in Buffalo, and carried out the assault to terrorize all nonwhite, non-Christian people into leaving the country.

Classmates described Gendron as a quiet, studious boy who got high marks but seemed out of place in recent years, turning to online streaming games, a fascination with guns and ways to grab attention from his peers.

When school partially opened again early last year after COVID-19-related shutdowns, Gendron showed up covered head to toe in a hazmat suit. Classmate Matthew Casado said he didn’t think the stunt -– he called it “a harmless joke” — went down well with other students.

“Most people didn’t associate with him,” he said. “They didn’t want to be known as friends with a kid who was socially awkward and nerdy.”

Gendron excelled in sciences, once earning top marks in a state chemistry competition. But he was known for keeping to himself and not talking much. And when he did talk, it was about isolation, rejection and desperation.

“He talked about how he didn’t like school because he didn’t have friends. He would say he was lonely,” said Casado, who graduated with Gendron last year.

At one point last winter, Gendron’s mother called Casado’s mother with a request: Please have Matthew call Payton because he had no friends and needed to talk.

The two boys ended up going to flea markets together, watching YouTube videos and shooting guns on nearby state land over the next few months. Casado said that he had never heard his friend talk of anything violent.

“I didn’t think he would hurt a fly,” he said.

Some neighbors had a similar view, seeing the family as happy and prosperous, with both Paul Gendron and his wife, Pamela, holding stable jobs as civil engineers with the New York state Department of Transportation, earning nearly $200,000 combined, according to online records.

Dozens of their Facebook posts over the years show the parents and their three boys — often dressed in matching outfits — enjoying amusement park vacations, going on boat trips, shooting laser tag guns and opening presents on Christmas morning.

Carl Lobdell, a family friend who first met Gendron on a camping vacation a dozen years ago, said he was shocked that Payton was identified as the suspect in the mass shooting.

“He was very friendly, very respectable,” said Lobdell, adding that his family had grown so close to the Gendrons that they even attended Payton’s graduation party last year. “When I heard about the shooting … I just cried.”

The family did not respond to a request for comment over the weekend, nor did Gendron’s attorney. No one answered the door Monday at the family home, surrounded by a neat, spacious lawn. Near the front door was a tiny right hand pressed in concrete with a heart symbol and the words, “PAYTON 2008.”

One parent of a Susquehanna Valley High student said she was furious that the student who was investigated for making the threat last year — whom she later discovered was Gendron — was still allowed to participate in all graduation activities. The woman asked not to be identified because she feared harassment.

According to a recording of a conference call of federal and local law enforcement officials Monday that was obtained by The Associated Press, Buffalo Police Commissioner Joseph Gramaglia said Gendron’s comments he made in school in June 2021 were “generalized statements” and not targeted at anyone in particular or at a specific location, which is why no criminal charges were filed. He said the state police “did everything within the confines of the law.”

Gendron enrolled at Broome County Community College and later dropped out. The school wouldn’t say why. And according to online writings attributed to him, he began planning his assault on the Buffalo supermarket beginning at least in November, saying he was inculcated into his racist views online.

“I was never diagnosed with a mental disability or disorder, and I believe to be perfectly sane,” according to one passage.

A new, 589-page document of online diary postings emerged Monday that authorities have attributed to Gendron, and some of its passages tracked with the account AP’s sources gave of his high school threat investigation.

“Another bad experience was when I had to go to a hospitals ER because I said the word’s ‘murder/suicide’ to an online paper in economics class,” said one entry. “I got out of it because I stuck with the story that I was getting out of class and I just stupidly wrote that down. That is the reason I believe I am still able to purchase guns.”

“It was not a joke, I wrote that down because that’s what I was planning to do.”

___

Condon reported from New York. Eric Tucker in Washington, Michael R. Sisak in New York and news researcher Rhonda Shafner in New York contributed.

___

Contact AP’s global investigative team at [email protected]

Continue Reading

Trending

X