Share this article on:
After China issued a warning of “certain punishment” for athletes making political statements during the Winter Olympic Games kicking off next month, analysts at risk intelligence firm Flashpoint have warned attendees to get “burn phones” while in Beijing.
While China has restricted attendance to people living there, the 44 athletes from Australia and over 13,000 Australians expats living in China should be on alert given current tensions between Beijing and Canberra and the security concerns identified in the MY2022 app athletes are required to use.
According to independent research by The Citizen Lab at the University of Toronto titled “Cross-Country Exposure: Analysis of the MY2022 Olympics App”, the MY2022 app, mandated for use by all attendees of the 2022 Olympic Games in Beijing, has a simple but devastating flaw where encryption protecting users' voice audio and file transfers can be trivially sidestepped. Health customs forms that transmit passport details, demographic information, medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users.
While the MY2022 app is fairly straightforward about the types of data it collects from users in its public-facing documents, the app also collects a range of highly sensitive medical information, and it is unclear with whom or which organisation/s it shares this information with.
TheMY2022 app also includes a function that allow users to report "politically sensitive" content, which includes a censorship keyword list. While this feature is presently inactive, it aims to target a variety of political topics including domestic issues such as Xinjiang and Tibet, as well as references to Chinese government agencies.
People attending the games in Beijing should assume their personal devices as well as traffic to and from devices are under constant watch by Chinese authorities, according to analysts at risk intelligence firm Flashpoint.
"The prevailing assumption should be that one's personal devices (and being) are under continuous watch by Chinese authorities," Flashpoint analysts warned.
The Flashpoint analysts warned that attendees should consider maintaining a set of devices for exclusive use in China, wiping these after each trip, while sensitive conversations should be held "as sparingly as possible", if at all.
"An obvious solution, although not the only measure one should take, is to maintain a reserve group of devices for exclusive use in China, each of which is analysed and wiped after each trip.
"The same caution should be paid to traffic to and from these devices," Flashpoint analysts warned.
"While it may incur some additional cost, the price of having one’s personal or work device captured and scanned, not to mention if something deemed sensitive is found on the phone, can be much greater," Flashpoint analysts said.
Attendees should consider keeping a policy on these devices that automatically connects to the VPN before the device fetches emails and other web requests, however, the assumption should always be that communications inside China are inherently insecure, and sensitive conversations should be held as sparingly as possible, even with these measures in place.
Physical security concerns in China can include large crowds, disease, food poisoning and a relatively blasé attitude towards public safety issues on sidewalks, streets and public spaces, following cases of security incidents in and around Tiananmen Square, however, those events have historically been limited to Chinese citizens trying to draw attention to grievances.
Outside of Beijing, there have been numerous cases of terrorist attacks by groups seeking to draw attention to China’s treatment of Uyghurs in Xinjiang and its involvement in third countries with groups that have enemies who carry out terrorist attacks.
While China’s "closed loop" for athletes, coaches and other Olympic participants will most likely insulate these travellers from most physical security risks, official or unofficial harassment of those outside this bubble may occur.
[Related: Lingering Log4j risks still at large, Dutch cyber security agency warns]
Nastasha is a Journalist at Momentum Media, she reports extensively across veterans affairs, cyber security and geopolitics in the Indo-Pacific. She is a co-author of a book titled The Stories Women Journalists Tell, published by Penguin Random House. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. Nastasha started her career in media as a Video Producer and Digital News Presenter at News Corp Australia.