FBI urges athletes to keep personal devices at home, use burners during Beijing Winter Olympics

In a notice released on Monday, the FBI warned Olympic athletes about bringing their devices to the 2022 Beijing Winter Olympics and March 2022 Paralympics while also raising concerns about the potential for cyberattacks against the event. 

In a wide ranging alert, the FBI said entities associated with the games should prepare for “a broad range of cyber activities to disrupt these events” including distributed denial of service (DDoS) attacks, ransomware, malware, social engineering, data theft or leaks, phishing campaigns, disinformation campaigns, or insider threats. 

The attacks would seek to “block or disrupt the live broadcast of the event, steal or leak sensitive data, or impact public or private digital infrastructure supporting the Olympics.” 

“Additionally, the FBI warns Olympic participants and travelers of potential threats associated with mobile applications developed by untrusted vendors. The download and use of applications, including those required to participate or stay in country, could increase the opportunity for cyber actors to steal personal information or install tracking tools, malicious code, or malware,” the FBI said. 

“The FBI urges all athletes to keep their personal cell phones at home and use a temporary phone while at the Games. The National Olympic Committees in some Western countries are also advising their athletes to leave personal devices at home or use temporary phones due to cybersecurity concerns at the Games. The FBI to date is not aware of any specific cyber threat against the Olympics, but encourages partners to remain vigilant and maintain best practices in their network and digital environments.”

The FBI noted that during the 2020 Tokyo Olympics and Paralympics, the NTT Corporation — which provided its services for the Tokyo Olympic & Paralympic Games — revealed there were more than 450 million attempted cyber-related incidents during the event.

NTT officials told ZDNet in October that none of the attacks were successful and added that the games went on without a hitch, but the number of attacks was 2.5x the number seen during the 2012 London Summer Olympics.

NTT’s Andrea MacLean compared the cybersecurity struggle to Harry Potter’s final fight against Voldemort, calling the effort to protect the event “Herculean.”

“Cybercriminals certainly saw the Games — and its related supply chain — as a high-value target with low downtime tolerance. After all, crime follows opportunity. And with connected stadiums, fan engagement platforms and complete digital replicas of sporting venues and the events themselves becoming the norm, there’s plenty of IT infrastructure and data to target — and via a multitude of components,” MacLean said. 

MacLean said among the 450 million attacks, NTT saw the Emotet malware, email spoofing and phishing, as well as fake websites made to look like they were associated with the Olympics. The FBI released a similar warning ahead of those Olympic Games as well. 

There has been significant debate and discussion within the cybersecurity community about the MY2022 smartphone app that the Chinese government is requiring all Olympic athletes to download upon entry into the country. 

Citizen Lab released a detailed examination of the app, noting that a “simple but devastating flaw” allegedly allows the encryption protecting users’ voice audio and file transfers to be “trivially sidestepped.”

According to Citizen Lab, passport details, demographic information, and medical/travel history in health customs forms are also allegedly vulnerable. Server responses can reportedly be spoofed, allowing an attacker to display fake instructions to users, according to the report.

The MY2022 app also allegedly allows users to report “politically sensitive” content and includes a censorship keyword list involving topics like Xinjiang and Tibet. 

Since that report was released, some have said concerns about the app are exaggerated and that it does not actually collect voice data from users. In comments to ZDNet, the International Olympic Committee defended the app and downplayed the severity of the issues discovered by Citizen Lab.

A spokesperson justified the app’s security holes by saying that due to the COVID-19 pandemic, “special measures” needed to be put in place to “protect the participants of the Olympic and Paralympic Winter Games Beijing 2022 and the Chinese people.” The IOC also defended the app by saying it received approval from the Google Play store and the App Store.

“Therefore, a closed loop management system has been implemented… The ‘My2022’ app supports the function for health monitoring. It is designed to keep Games-related personnel safe within the closed loop environment. The user is in control over what the ‘My2022’ app can access on their device. They can change the settings already while installing the app or at any point afterwards. It is not compulsory to install ‘My 2022’ on cell phones, as accredited personnel can log on to the health monitoring system on the web page instead,” the IOC claimed. 

“The IOC has conducted independent third-party assessments on the application from two cyber-security testing organizations. These reports confirmed that there are no critical vulnerabilities.”

In spite of the debate over the app, the UK, Australia, and Germany have all urged their citizens to leave all of their personal devices and laptops at home over concerns that they will be hacked or monitored by the Chinese government both during the games and once they go home. The Dutch Olympic Committee has already banned its citizens from bringing their devices to the games.