The FBI has urged all athletes to keep their personal smartphones at home and instead use a temporary phone while at the Olympic Games.
The organisation published a notice in which it warns entities associated with the February 2022 Beijing Winter Olympics and March 2022 Paralympics that cyber actors could use a broad range of cyber activities, including DDoS or ransomware attacks, to disrupt the events.
Additionally, the FBI warned Olympic participants and travellers of potential threats associated with mobile applications developed by untrusted vendors.
“The download and use of applications, including those required to participate or stay in the country, could increase the opportunity for cyber actors to steal personal information or install tracking tools, malicious code, or malware,” said the FBI.
The organisation recommends all athletes to use a temporary phone, highlighting that the National Olympic Committees in some Western countries are also advising athletes to leave personal devices at home due to cyber security concerns at the Games.
However, it added that it isn’t aware of any specific cyber threat against the Olympics, but encourages partners to remain vigilant and maintain best practices in their network and digital environments.
It pointed to the 2020 Tokyo Olympics and Paralympics, where there were over 450 million attempted cyber-related incidents during the event, although none were successful due to the cyber security measures in place, according to the NTT Corporation which was in charge of IT security. The most popular attack methods used were malware, email spoofing, phishing, and the use of fake websites and streaming services designed to look like official Olympic service providers.
The FBI added that the use of new digital infrastructure and mobile applications, like digital wallets or applications that track COVID testing or vaccination status, could also increase the opportunity for cyber actors to inflict damage. This could allow them to steal personal information or install tracking tools, malicious code, or malware. The FBI underlined that athletes will be required to use the MY2022 smartphone app to track their health and travel data.
The best defence against ransomware
How ransomware is evolving and how to defend against it
The MY2022 app was analysed by Citizen Lab researchers who said they had found it contained a “devastating” encryption flaw, which it said allowed users’ audio and file transfer encryption to be sidestepped. The researchers also said it fails to validate SSL certificates and can be deceived into connecting to a malicious host.
There also appears to have been some misinformation surrounding the privacy of the Chinese app, with one researcher, Jonathan Scott, claiming that athletes’ audio is being collected, analysed, and saved on servers belonging to a Chinese AI firm with human rights concerns called iFlytek. This claim has been shared by US senators and a prominent podcaster on Twitter.
However, members of the infosec community have said the researcher’s claim is unsubstantiated by any of the evidence provided, even though it has already been shared widely.
