The bad news – if you were hoping to attend – is the Winter Olympics in Beijing has banned virtually all spectators.

The good news is that means you won't have to download the official Olympics app, which is said to contain multiple security holes that authorities won't fix.

The University of Toronto's Citizen Lab says personal data such as medical and passport details can be hacked, server responses can be spoofed, and encryption on audio and file transfers can be easily sidestepped.

Figure 1: Security issues: You're better off keeping your phone for photos rather than using the Olympics app to keep track of the events you won't be attending.
(Source: Xinhua / Alamy Stock Photo)

Athletes are required to install the My2022 app at least 14 days before they arrive in Beijing, according to official advice. They must supply vaccination status and personal details and carry out a daily health check until they leave.

The app is available from Apple and Android app stores for non-athletes to download as well.

No answers

Citizen Lab said it advised the Beijing Olympic Committee of the security flaw on December 3 but since have had no response from either the committee or the app developer.

It points out China has a "history of undermining encryption technology" in order to perform censorship and surveillance and in exploiting unencrypted communications.

"Furthermore, local Chinese governments routinely use data interception technology to sniff Wi-Fi traffic for surveillance purposes."

The IOC told DW.com it has had the app inspected by two cybersecurity teams who found no vulnerabilities.

It said the app can be configured by the user to disable access to features such as files, calendar, contacts and location. It also said the app is not compulsory – "accredited personnel" can fill out forms on the website.

But Citizens Lab Director Ron Deibert said the IOC response did not address the security holes it had reported.

He pointed out that a new version of the app had been issued on January 17 that contained the same vulnerabilities the Lab had reported six weeks earlier.

War games

The spat over the app suggests that information warfare and hi-tech rivalry will be as much a part of the games, due to start on February 4, as curling and luge.

Already the US, German, Dutch, Canadian and British Olympic teams have told their athletes to leave their phones and laptops behind and take burner devices to the games.

Want to know more about security? Check out our dedicated security channel here on
Light Reading.

No Chinese official has commented, but in a story picked up by Chinese media, the head of Russia's Foreign Intelligence Service, Sergey Naryshkin, has said his agency had information about a "massive campaign" of interference by the US and allies against the Beijing event.

"We see them trying to discredit the organizers of the Olympic Games in Beijing," Tass reported

. Related posts:

— Robert Clark, contributing editor, special to Light Reading