Olympic athletes heading to China for the upcoming Winter Games should use burner phones and rental computers, and understand clearly that there’s “no expectation of data security or privacy” while moving around in China.
That’s the blunt warning from the U.S. Olympic and Paralympic Committee ahead of next month’s games in Beijing where there’s an elevated risk of malware infections and data compromise.
The guidance is an important reminder to businesses that international travel, even though curtailed by the pandemic, presents a clear and present danger to sensitive company data and intellectual property.
“No guarantees of data privacy or security should be made regardless of the security technology utilized. Assume that every device and every communication, transaction, and online activity will be monitored. Devices may also be compromised with malicious software designed to compromise the device and its future use,” the committee said in a notice seen by SecurityWeek.
It recommended that a “sterile device” be used when entering China and, upon exit, “ the cleansing and destruction of the information on the device ensures the highest degree of security.”
[ Virtual Event: Ransomware Resilience & Recovery Summit – Jan. 26 ]
The committee specifically pushed the U.S. delegation to use burner phones and carefully wipe and destroy devices after use in China.
“The applications and data on the mobile devices brought into China should be cleansed and devices brought out of the country should be wiped and destroyed due to the risk of further network and data infection by malicious programs. The usage of rental cellphones is preferred.”
“Personal mobile devices (cellphones and tablets) are discouraged from being brought into China,” it added.
The group also recommended the use of “rental computers” and warned that “the greatest threat to security is both the data that is brought into China as well as the potential malicious programs that are brought out.”
Upon entry into China, business travelers and athletes should understand that Chinese authorities have the authority to inspect or seize any device for security reasons during customs processing. Although these incidents are rare, olympians should assume that every text, email, online visit, and application access can be monitored or compromised.
“There should be no expectation of data security or privacy while operating in China,” the group warned, noting that the use of firewalls, anti-malware and encryption technologies are encouraged but aren’t guaranteed to provide real protection.
“Despite any and all safeguards that are put in place to protect the systems and data that are brought to China, it should be assumed that all data and communications in China can be monitored, compromised or blocked.”
At a minimum, it said Windows and macOS-powered machines landing in China should be cleansed of personal and business data and hardened via appropriate security software and protocols at the BIOS, authentication, and application level.
The Olympic Committee‘s guidance comes just days after the discovery of a “simple but devastating flaw” in the encryption of the MY2022 app used to monitor COVID infections. The app is mandatory for athletes, journalists and other attendees of the games in Beijing and security experts warn that the flaw exposes health information, voice messages and other data to leakage.
The International Olympic Committee responded to the report by saying users can disable the app’s access to parts of their phones and that assessments from two unnamed cyber security organizations “confirmed that there are no critical vulnerabilities.”
Citizen Lab said it notified the Chinese organizing committee for the Games of the issues in early December and gave them 15 days to respond and 45 days to fix the problem, but received no reply.