FBI: Use a Burner Phone at the Olympics

The warning follows a Citizen Lab report that found the official, mandatory app has an encryption flaw that “can be trivially sidestepped.” Besides burners, here are more tips on staying cyber-safe at the Games.

Use a burner phone if you’re traveling to the Olympics, the FBI warned on Tuesday, lest you come home with a nasty case of malware and/or snatched personal data.

The FBI didn’t mention specific threats, per se, but its alert warned those traveling to the February 2022 Beijing Winter Olympics and March 2022 Paralympics that we’ve seen this all before with the Olympics, where “malicious cyber actors could use a broad range of cyber activities to disrupt these events.”

It’s not just athletes and other attendees’ personal phones that are going to be targeted by testosterone-pumped cyber actors or zealous state actors swarming the event, the bureau said, just as malicious actors zeroed in on the Tokyo Summer Olympics, looking to disrupt the Games’ TV broadcasts. The same day the FBI released a warning about that earlier threat, in July 2021, the personal data of volunteers and ticket purchasers for the Tokyo Olympics was leaked online.

Infosec Insiders Newsletter

In Tuesday’s alert (PDF), the FBI noted that NTT Corporation – which provided services for the Tokyo 2020 Summer Games – revealed (PDF) that there were more than 450 million attempted cyber-related incidents during the event, “though none were successful due to cybersecurity measures in place.”

“While there were no major cyber disruptions, the most popular attack methods used were malware, email spoofing, phishing and the use of fake websites and streaming services designed to look like official Olympic service providers,” the FBI said.

The FBI also noted that during the 2018 PyeongChang Winter Olympics, cyber actors associated with Russia conducted, including the Olympic Destroyer attack that crushed the Games’ Opening Ceremony – attacks enabled through spear-phishing campaigns and malicious mobile aps.

Burner Phones to the Rescue

Expect a copy-C, copy-V situation this time around, the Feds warned. The FBI noted that the upcoming Olympic games in Beijing (which run Feb. 4 – 20) and the Winter Paralympics (March 4 – 13) will see a heightened risk of distributed denial-of-service (DDoS) attacks designed to disrupt events – the number of which had shattered records as of November 2021 – as well as ransomware, other malware, social engineering, data theft or leaks, phishing campaigns, disinformation campaigns, and insider threats.

With regards to packing a burner phone and leaving your personal phone at home, the FBI warned of potential threats associated with mobile apps developed by untrusted vendors. “The FBI urges all athletes to keep their personal cell phone at home and use a temporary phone while attending the events,” CISA (the Cybersecurity & Infrastructure Security Agency) said.

“The download and use of applications, including those required to participate or stay in country, could increase the opportunity for cyber actors to steal personal information or install

tracking tools, malicious code, or malware,” according to the FBI’s Privacy Industry Notification (PIN) (PDF).

‘Official’ Apps Can Be Just as Bad

Security experts pointed out that it’s not just mobile apps coming from untrusted vendors that are sketchy. We’ve seen mobile apps packed with malware, delivering spy trojans via Google’s Play store; Joker malware repeatedly fleecing people with premium SMS charges, also on Google Play; and malicious apps that have infested Apple’s Play Store.

“This is a flaw in the model for publishing apps,” Mark Lambert, vice president of products at application security provider ArmorCode, told Threatpost via email on Tuesday. “Consumers expect that they are protected with ‘official apps,’ but the app store providers are not able to keep up with the volume and pace of apps being published to their marketplaces.”

The bureau noted that other Western countries have also warned their athletes to leave their personal devices at home or use temporary phones to reduce their cybersecurity risk. “The FBI to date is not aware of any specific cyber threat against the Olympics, but encourages partners to remain vigilant and maintain best practices in their network and digital environments,” according to the FBI’s PIN, which also lists network and remote-work best practices.

“Large, high-profile events provide an opportunity for criminal and nation-state cyber actors to make money, sow confusion, increase their notoriety, discredit adversaries, and advance ideological goals,” the FBI said.

The Feds gave a long laundry list of the factors that are going to spike the cybersecurity dangers: “Due to the ongoing COVID-19 pandemic, no foreign spectators will be allowed to attend the Olympics or Paralympics. Spectators will be reliant on remote streaming services and social media throughout the duration of the Games,” according to the alert.

“Adversaries could use social engineering and phishing campaigns leading up to and during the event to implant malware to disrupt networks broadcasting the event. Cyber actors could use ransomware or other malicious tools and services available for purchase to execute DDoS attacks against Internet service providers and television broadcast companies to interrupt service during the Olympics. Similarly, actors could target the networks of hotels, mass transit providers, ticketing services, event security infrastructure or similar Olympic support functions.”

FBI Warning Follows One From Citizen Lab

The FBI alert follows a similar cybersecurity warning from the Citizen Lab cybersecurity group, which last month warned that MY2022 – an app mandated for use by all attendees of the 2022 Beijing Olympic Games – has a “simple but devastating” flaw wherein encryption protecting users’ voice audio and file transfers “can be trivially sidestepped.”

The flaw endangers users’ health customs forms, which transmit passport details, their demographic information, and their medical and travel history, the group reported.

“Server responses can also be spoofed,” Citizen Lab said, “allowing an attacker to display fake instructions to users.”

Citizen Lab also said that MY2022 is subject to censorship based on a list of keywords, and that its privacy policy isn’t clear about who received and processed the data uploaded to the app.

Lookout researchers took a look at the app and found that the app also has a chat feature, as well as file transfer capabilities between users. “Considering the likelihood that the Chinese government could be monitoring all of this data, users should not use the app for anything more than the bare minimum,” warned Hank Schless, senior manager of security solutions at endpoint-to-cloud security company Lookout. “By the same token, they should enter as little information as they’re required to.”

Leave Other Blabby Gadgets Home, Too

It’s not just your phone, security experts emphasized: It’s every other blabby gadget that beams out data via cellular, Bluetooth or Wi-Fi connectivity: They’re all open to being compromised. “You should always turn off these capabilities when not in use, disable ‘discovery features’ and never connect to a source that you are unfamiliar with,” Mark Lambert, vice president of products at application security provider ArmorCode, told Threatpost via email on Tuesday.

“On a side note, be especially wary of internet connections broadcasting ‘Public Free Internet’ when you cannot verify physically that you are connecting to a trustworthy SSID – e.g. a posted sign.”

How to Stay Safe(r)

Lookout’s Schless told Threatpost on Tuesday via email that whether athletes and other attendees are using burner phones or not, “they should be incredibly wary of any individual, app, or message that encourages them to share login credentials.”

The risk of being phished on mobile is real, “regardless of the type of device or operating system, he noted. “Apps could easily be running malware in the background, especially if they aren’t being downloaded from a trusted source like the App Store or Play Store.”

Be it a burner or not, keep your devices with you at all times or locked up in a safe place, he recommended.

This isn’t just good advice for traveling to China, of course. Border patrol agents can, and do, grab and search devices in countries such as the United States that don’t have as bad a rap as China does when it comes to state surveillance and censorship.

“Regardless of the country, border patrol in certain places may ask you to turn over any devices you’re bringing into the country,” Schless noted. “This could be incredibly high risk, as the agents may be under orders to install spyware on the device of anyone coming into the country – especially if it is run by an authoritarian government.”

John Bambenek, principal threat hunter at digital IT and security operations company Netenrich, told Threatpost that besides being mindful of one’s surroundings, it’s wise to use a dedicated card for the trip and keep others at home. Also, keep internet usage on your own burner phone or devices.

“Keep in mind that China does censor internet content and trying to evade such censorship to go to banned sites may get you in additional trouble,” he cautioned in an email on Tuesday. “As a general rule, I’ve avoided having any sensitive conversations while in a country that might be an espionage risk and simply waited to have them while at home.”

Finally, keep an eye on end points for indicators of compromise, advised Chris Clements, vice president of solutions architecture at Cerberus Sentinel. Also, enact general cybersecurity best practices such as multi-factor authentication and patching, he suggested.

“For those people traveling to Olympic games, it’s important to understand both the invasiveness and capabilities of border security agencies screening entry with regards to cyber security when traveling,” he noted in an email to Threatpost on Tuesday.

“As a rule, it’s important to assume all bets are off as to the security of any device traveling with you, the privacy of the data within, or to any accounts linked to that device including social media.”

He reiterated what others have said about this being good advice for “almost any foreign country. Border control agencies often have broad authority to inspect or completely clone devices, compel the traveler to unlock, or even share passwords for online accounts. For this reason, it’s often recommended that travelers concerned with this possibility carry disposable devices for use while traveling that can be disposed of before leaving.”

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles