The Cybersecurity Nightmare of China’s Winter Olympics

 


Photo by Philipp Katzenberger | Unsplash

The world loves friendly competition. Every two years, the planet comes together, puts aside most of our differences and enters the battlefield of athletic prowess. The Olympics has been enshrined in the public conscious for decades in the modern era and its roots date back to one of the world’s oldest democracies. This is why it’s painful to see that when they are held in a country with an autocratic government rife with human rights violations.

 

In this case, China has a lot to answer for – from its current abuses against its Uighur population to its massive surveillance infrastructure that stifles its citizens  to speak freely. That is the backdrop that the Olympics must contend with: a free and open competition in the land of the largest authoritarian state.

 

Unfortunately, for the delegations around the world heading to China, this means that their devices, biometric information, health data and personal information is seriously at risk. Already the cybersecurity community, myself included, have been raising the alarm over the violations of privacy we are uncovering as we review China’s technology and apps they are using for the games. 

 

China has not been the only offender in terms of host countries. The 2014 winter games held in Sochi, Russia also saw a large amount of hacking mobile devices that were connected to local wireless. Journalists attending the games were given a press packet that included a suspect flash drive from the Russian government that was considered a cybersecurity risk. So, this type of malfeasance isn’t new but tends to be the modus operandi of oppressive governments. 

In the case of China, they have stated that they are going to drop their massive censorship of the internet – known as The Great Firewall – at the hotels and venues that are hosting the international delegations. However, this doesn’t mean that by being able to get previously blocked western sites like Facebook the government still can’t monitor all traffic coming in and out of a person’s device. In fact, some of the biggest sponsors of the Olympics this year are China’s big tech companies, many of whom specialize in surveillance, artificial intelligence and other technologies that Beijing leverages to keep tabs (and data) on the entire world. 

 

Like with the Sochi Games, these companies are offering the wireless infrastructure that everyone will use. Given the tight hold that Beijing has on these companies, state actors could easily use this infrastructure to capture data as it leaves a device and even decrypt the standard SSL/TLS encryption the world uses to secure connections to everywhere from banks to social media platforms. This type of attack, known as a Man-in-the-Middle attack would not be able to be detected by a regular user who would simply see what their phone or laptop is showing them: a secure connection when it’s actually not. 

 

On top of this, China’s central app for the games known as MY2022 is rife with cybersecurity vulnerabilities that researchers at the University of Toronto’s Citizen Lab detailed in a report that was recently released in December. Like hijacking the wireless encryption, the MY2022 app has a “simple but devastating” flaw in its encryption configuration. 

 

This mandatory app for attendees, not to mention athletes and journalists as well, is China’s way of monitoring COVID-19 during the games. However, with this integrated security flaw, the app could be turned into a data exfiltration platform as the encryption can be broken thus giving the state possible access to leaking data such as messages, voicemails, and anything else stored on the device. The organizers of the games stated that no one actually has to install this app into their phone and can, instead, elect to go to the official website to enter information. However, given the inconvenience of that option, many will simply install the app. Plus the official’s statement doesn’t make mention that websites can be infected and both mobile phones and laptops can be infected in that manner as well. 

 

The MY2022 app also has a text file integrated into it called “illegalwords.txt” which contains an apparent list of words and phrases that the censorship friendly government does not want used during the games. These items cover all of China’s greatest rights violating hits, including mentions of Tibet, their minority Muslim population they’re actively surveilling and oppressing as well words about their current leader (who was apparently furious about being compared to Winnie The Pooh and so they banned that within the country). 

 

While this may simply be business as usual for the Chinese government, this should act as a warning to the world of what the internet and interactions with governments could increasingly look like as China continues to expand its sphere of influence. Thanks to their Belt and Road initiative, they are bringing authoritarian style internet infrastructure and software development to dozens of countries. They’ve even been silently modeling for other autocratic regimes how to censor and maintain control of their population while they’re online. 

 

In 2018, I wrote an article for Forbes about the bifurcation that is coming to the internet by 2028. China is keeping on track with that timeline as they expand into even more countries around the world and start challenging traditional cooperative partnerships between some countries and the west. Recently, staunch US ally Saudi Arabia entered into an agreement with China to get China’s help in developing ballistic missiles for the kingdom. If that’s not a concerning shift in the balance of power in the Middle East, I don’t know what is. The world needs to be more concerned about this.

 

So, what can countries, and their citizens, do to help prevent the spread of foreign surveillance in their homes? Quite a bit, actually. 

 

First, understand that China has passed several laws starting in 2016 that essentially force China based corporations to turn over all information and data on non-Chinese citizens they have collected to the government. By virtue of this, the standard approach to data privacy and security should be to understand that any app that originates in China has this requirement attached to it. Sorry TikTok users, but that app is owned by Bytedance in Beijing, and is known first in the cybersecurity community as a Chinese government data mining app first and a pointless video app second.

 

Next, practice good cyber hygiene. Connecting to wireless infrastructure that is public is a recipe of getting hacked. Hotels, airports, coffee shops, arenas and more all offer wireless and users have no idea how easy this is to compromise or spoof to make a malicious wireless access point look legitimate via an attack known as an Evil Twin. Enabling free options like multi-factor authentication for your logins helps to prevent easy theft or ransom of your data as well. 

 

Also, when traveling abroad, it is important to limit what data goes along on the trip. Personally, when I have been in China on the business of securing US corporate interests against the Chinese state, I carry a laptop and mobile phone that has no sensitive data on them so if they are ever stolen, taken from me or hacked the information recovered is minimal. All of my devices are also fully encrypted for this reason as well and kept turned off unless in direct use. Many countries have told their Olympic delegations to bring burner devices to China and act in the same manner as I do when I’m there, and it’s so important to protecting privacy.

 

Finally, countries around the world need to start adopting better data privacy laws. The European Union has the GDPR, which protects EU citizens’ data no matter where it is (though getting recourse under Chinese law for the GDPR is basically non-existent but it works most everywhere else). The United States is behind in this manner though some states like California, Illinois, New York and others have enacted some type of privacy law. Data privacy and cybersecurity is agnostic from politics but not immune from it. Calling for both sides of the political isle in the US to pass their own GDPR is a must. 

 

China’s accession in the last few decades has been profound to watch but also concerning for the future of human and civil rights. We may not be able to stop China from expanding its powers but we can stand together and deny them the ability to violate our online privacy by making the right choices and informing every one of the risks. Good luck to the worlds’ athletes in the games, and good luck to all of us with our cherished yet eroding rights. 




Nick Espinosa

Nick is the founder and CEO of Security Fantatics, the Cybersecurity/Cyberwarfare division of BSSi2 dedicated to designing custom Cyberdefense strategies for medium to enterprise corporations. As a member of the Board of Advisors for Roosevelt University’s College of Arts and Sciences as well as their Center for Cyber and Information Security, the Official Spokesperson for the COVID-19 Cyber Threat Coalition and a board member of Bits N’ Bytes Cybersecurity Education as well as Strategic Cybersecurity Advisor for the Private Directors Association, Nick helped to create an NSA certified curriculum that will help the Cybersecurity/Cyberwarfare community to keep defending our government, people and corporations from Cyber threats globally. In 2017 Nick was accepted into the Forbes Technology Council, an invitation-only community for world-class CIOs, CTOs and technology executives, and is a regular contributor of articles which are published on forbes.com as well as smerconish.com.


Share With Your Connections
Share With Your Connections

More Exclusive Content

We welcome for consideration all submissions that adhere to three rules: nothing defamatory, no snark, and no talking points. It’s perfectly acceptable if your view leans Left or Right, just not predictably so. Come write for us.

Write for Smerconish.com
Get the Latest News from Smerconish.com in Your Inbox
This field is for validation purposes and should be left unchanged.

By submitting this form, you are consenting to receive marketing emails from: Smerconish.com. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact