All spied on or all paranoid? This is the one billion yen question that we have been asking ourselves since we set foot on Chinese soil to cover these Winter Olympics. Even a little earlier in fact, since we had to download the My2022 application, in January, a necessary condition to have the right to enter the Chinese health bubble.
Indeed, for several weeks, IT specialists have been alerting Games participants to possible security flaws in this application, which is supposed to centralize health information and simplify our lives once there (info on services bus, translation service, etc.), but which would also be used by the Beijing authorities to spy on us 24 hours a day.
January 26, the psychosis has even gone up a notch when Jonathan Scott, an American student-researcher, self-proclaimed best hacker in the world, claimed that “all the audio of Olympic athletes [était] collected, analyzed and stored on Chinese servers using technology used by an artificial intelligence company blacklisted by the United States”. It was enough for, in a context of extreme tension between the future first world power and the Western countries, the USA in the lead, everyone began to chatter their teeth at the idea that Big Brother is observing our slightest deeds and gestures (and words).
After reverse engineering all of the #Beijing2022 #spyware app for @Apple #ios and @Google #Android
I can definitively say all Olympian audio is being collected, analyzed and saved on Chinese servers using tech from USA blacklisted AI firm @iflytek1999 https://t.co/9wX1sP8PZP pic.twitter.com/hdIfiKX37m—Jonathan Scott (@jonathandata1) January 26, 2022
The hacker theory does not work
Faced with this eventuality, Olivier Blazy replies that we must remain cautious. For this computer science lecturer and head of the master’s degree in cybersecurity at the University of Limoges, “it is always legitimate to have suspicions when installing applications from China because, generally, these apps do a lot more than they are supposed to. They frequently try to install spyware and eavesdropping devices in our telephones or computers to exfiltrate information, although this is not at all the stated goal at the start”. But if there is any doubt about the good faith of the designers of the My2022 application, it is just as much about the quality of the work of our American hacker.
Many specialists question the validity of his accusations or, at the very least, the quality of his expertise. After having initially believed in the good faith of Jonathan Scott, Olivier Blazy pushed his research further and contacted us again when we arrived in China.
“The infosec community [informatique et sécurité] is skeptical because he provides data but lacks for each of them the detail that allowed to verify what he says, he writes to us. In fact, I think he found things that could be used for surveillance, but he did not provide any tangible proof that these elements were actually used (…) It would seem that in large part, this nobody wanted to surf on a conspiracy theory. Yes, there are some weird things in the app. But nothing that allows us to affirm 100% that they make deliberately hostile use of it. »
To get to the bottom of it, we tried to contact this whistleblower to tell him about our exchanges with the French academic and offer him to explain himself in more detail. After sending us back to a BBC News article titled “The FBI asks for temporary phones for Olympic athletes”, this one posted us screenshots of these exchanges with another IT specialist, to prove the seriousness of his analyzes. All accompanied by the following message: “I know that there are plenty of skeptics and haters who question my assertions, so I spoke with a computer security engineer and he confirms my fears”.
Relaunched on the subject, it has not given any sign of life since. It must be said that he has other fish to fry. Going up his Twitter feed, Scott seems to have made it his mission to respond to all his detractors, even if it means threatening some of them with legal action. Our computer knowledge stopping at Mr. Le Cunff’s course in techno at college, we decided not to enter the ring in our turn.
2,400 keywords under surveillance
What we can say, however, is that while My2022 may not be the spyware presented by Jonathan Scott, it is nonetheless suspicious in many other respects. Olivier Blazy: “The application uses iFlytek [pour gérer la fonctionnalité de traduction vocale de l’app] who is a start-up specialized in artificial intelligence and flown from China. However, this start-up caused a lot of talk when MIT, which had a contract with it, ended their collaboration after discovering the misuse they could make with its technology. This firm has since been banned by the US Department of Commerce and blacklisted for its involvement in surveillance of the Uyghur people.
Another source of concern, the revelations of the very serious Citizenlab, a renowned research laboratory of the University of Toronto, which brought to light security flaws in the management of (sensitive) data that we have entered into the application for almost three weeks (vaccination course, passport number, travel history to arrive in China). The Canadian experts also revealed that My2022 will contain features to flag “politically sensitive” content that may be held on the app’s chat feature. 2,400 keywords (such as “Uyghurs”, “dictatorship”, “Peng Shuai”) would thus be identified and transmitted to Chinese servers without anyone knowing exactly what this would entail for the people who uttered these forbidden words.
Be careful with the app… and watch out for stuffed animals!
Questioned before his departure for Beijing, the founder Lucas Chanavat claims to be “relatively careful” to these threats. “Afterwards, we are lucky to have an endowment at the Games via a partner who provides us with a telephone so I will take the opportunity to use it and leave mine aside, he specifies. I’m still going to take my computer but it’s not sure that I use it a lot. I will mostly be on my console (laughs)! “. For their part, the delegations decided to guard against any malicious intrusion during the Games and many are indeed providing temporary computers and telephones to their athletes. The Australians have simply come with their own wifi network in order to avoid any risk of espionage.
“These are relatively classic precautionary measures, analyzes Olivier Blazy. This is also what we, researchers, are advised to do when we go abroad. It’s reassuring, it proves that there is a small level of mistrust on the side of the delegations. As the discussion progressed, the cybersecurity expert also warned delegations against possible gifts that the organizers could give them.
Halfway between GoldenEye and OSS 117, the anecdote is crisp: “We have already seen soft toys offered with spy microphones in them to listen to what was being said. It’s stupid, these are spying techniques that have been around for a very long time and there is no reason for it to stop now that we are going digital since it works very well. ” By the way, what is the mascot of the olympics ? Ah yes, a pretty cute little panda. It comes in well in plush, that, it seems.