Arun ShankarThe FBI has notified Olympic athletes to leave their personal cell phones at home and carry a burner phone to the Beijing Winter Olympics. It has cited the potential for malicious cyber activities. The FBI has advised athletes to use a temporary phone while at the games. According to the FBI there is no country that presents a broader threat to US ideas, innovation, and economic security than China.
US intelligence officials have warned that officials and members of business and academia, who travel to China can face possible risk of their personal devices getting hacked. While US athletes are allowed to compete, the Biden administration is not sending government officials to the games.
The National Olympic Committees in some Western countries are also advising their athletes to leave personal devices at home or use temporary phones due to cybersecurity concerns at the Games.
Top executives of the industry share their opinions on this advisory also indicating that just switching to a burner may not be sufficient. It is equally important to avoid accessing personal and organisational credentials and accounts, even while using the burner phone. Transfer of data from the burner phone back to a primary device is best done through an intermediate account and device as well.
Read on for a deep dive on this subject.
Brian Chappell, Chief Security Strategist, BeyondTrust
Using a burner phone limits the exposure of the device to the trip itself. Assuming the burner is activated for the trip and discarded or even destroyed either before leaving China or on arrival in the USA, the opportunity for significant compromise is severely reduced.
There may be opportunity to monitor calls, texts and internet activity while the phone is in use within China, but this activity can be limited through good education on the risks for those travelling. Using a long-term device may result in the compromise remaining in place when the person returns to the USA, a far more serious concern and almost certainly the basis for the FBI statement.
With successful athletes potentially being invited into secure spaces, for example, The White House, those devices might offer a beachhead, in terms of a continued attack
The real objective of any compromise of a device would likely be to establish a method of access that remains available once the device leaves the country. Likely malware-spyware would be an inobtrusive monitoring and or remote access control tool that could allow attackers access to the device wherever it travels. The biggest benefit for the malicious actors in this scenario is full control over the infrastructure from where the attack originates.
There is no need to compromise telcos, masts or Wi-Fi, as these are all within their sphere of control. This should make eavesdropping, while in country, relatively easy but also provide far more opportunity to probe for vulnerabilities without triggering infrastructure monitoring that exists outside of the country borders. That alone could provide opportunity to discover vulnerabilities that could be exploited long after the person leaves the country, avoiding checks on devices when the individuals arrive back in the USA.
With successful athletes potentially being invited into secure spaces, for example, The White House, those devices might offer a beachhead, in terms of a continued attack. Not only that, being able to track athlete’s movements, conversations, messages, and potentially even compromise their encrypted social media feeds, long-term, potentially offers opportunities to coerce individuals. High-profile individuals will always represent a richer target for attackers.
Bahaa Hudairi, Regional Sales Director META, Lookout
Our smartphones and tablets are full of sensitive personal data that we would not want anyone to have their eyes on or potentially steal. In the case of Olympic athletes, they might have photos of sensitive health documents or passports saved as a backup on their mobile devices.
That being said, regardless of whether athletes and press are using burner phones or not, they should be incredibly wary of any individual, app, or message that encourages them to share login credentials because the risk of being phished on mobile exists regardless of the type of device or operating system.
Regardless of whether athletes are using burner phones or not, they should be incredibly wary of any message that encourages them to share login credentials
Furthermore, apps could easily be running malware in the background, especially if they are not being downloaded from a trusted source like the App Store or Play Store.
Also, there are concerns about the official Olympics application, so Lookout researchers took a look at the app, and found that it requires the user to enter some PII such as demographic information, passport information, travel and medical history. There also appears to be a list of forbidden words for censorship purposes.
The app also has a chat feature as well as file transfer capabilities between users. Considering the likelihood that the Chinese government could be monitoring all of this data, users should not use the app for anything more than the bare minimum. By the same token, they should enter as little information as they’re required to.
Cristiana Kittner, Principal Analyst, Mandiant Threat Intelligence
As with many high-profile international events, the Olympic Games generate a spike in economic activity and press coverage in the host nation, which we have seen attract the attention of cyber threat actors in the past.
With the Winter Olympics just around the corner, Mandiant has historically seen the Games attract the attention of cyber threat actors, but with them taking place in China this year, there are a few additional things to consider – whether you are attending, or part of an organisation with ties to the event.
Based on our understanding of threat activity surrounding previous Olympics, this activity could be in the form of nation-state actors and information operations campaigns using the media attention to embarrass rivals through hack-and-leak campaigns, website defacements or other disinformation.
We have also seen financial criminal actors capitalise on events like this to exploit increased tourism and local spending or use Olympic-themed subject lures in their malware campaigns targeting the public.
It is not just about protecting yourself, but also organisations you are linked with
“With the event in China this year, known to be one of the big four nations when it comes to cyber activity, we could also see reconnaissance activities on devices brought into the country by visitors. It is important to be aware that cyber activity could target athletes, officials and visitors, but also the different businesses that support the Olympics too, whether that is in industries like hospitality, telecoms or providing a sponsorship deal.
Leave your personal devices at home and take burner devices if you need to – ones that you will only use while visiting and replace afterwards. Secure these devices and accounts you will access with strong passwords.
Use a VPN at all times and enable multi-factor authentication wherever possible. Avoid accessing social media and banking if at all possible – pick up the phone and make a call for anything that requires credentials Remember your connections. It is not just about protecting yourself, but also organisations you’re linked with.
David Brown, Security Operations Director, Axon Technologies
In the past, where I come from, there was always an urging demand for holding secondary devices when traveling to certain counties that do not provide the same level of personal device ownership or have institutionalised censorship. However, holding a second device also means that it must come with a secondary account.
At the end of the travel, the device and accounts used are scrubbed. Even then, at no point should these devices or accounts be used to access any sensitive data or systems such as banking or primary account servers like email or storage.
To retrieve data like photos once home, it is recommended to use the second account to log into its web storage and download it to an intermediated system for scanning before uploading it to the primary account.
It is not about malware or spyware, where institutionalised censorship is the law, they have lawful interception. They see, record, and alter inline ether data you send or receive. There is no need to push malware when they have the right to access anything on the device and everything in transmission. This interception extends to legitimate apps.
The truth is that targeting will be widespread for average citizens, most likely via natural language processing
Furthermore, since they are running gateway proxies, both transparent and the Chinese firewall, they also control the end-to-end encryption of all transactions, so again, there is no need to push anything. When you leave and return home, they could have account access to your services and access as needed. At that point, they could push backdoors and infostealers to ensure access is maintained.
There is no reason why China would overly target average US sports citizens over any other global sports citizens; this is fearmongering. The truth is that targeting will be widespread for average citizens, most likely via Natural language processing keywords, standard practices already in use. There will then be a list of high-priority targets of people of interest that will span all global sports citizens in which real-time or near-time targeting is most likely with NLP.
Everyone should control their speech; you do not have freedom there. Mind what you say, always assume someone can hear everything. On top of that, we all know that there are hot button topics in China, so it is best to avoid discussing them. As the old saying goes, if you have nothing nice to say, say nothing at all.
Greg Day, Vice President, Global Field CSO, Cybereason
Any event, such as the Olympics, draws high volumes of people which inherently means more opportunity for cyber adversaries. At the most basic level, using a cheap burner phone means that if the phone is lost or stolen, the impact to the owner is reduced.
Taking it a step further, one aspect, that we have sadly seen grow in recent years, is ransomware being used by bad actors to analyse the data on a device and use it either for profit or to blackmail the victim. It is unlikely that athletes would have state secrets on their phones that would be of value, but it is likely they may have personal information that they would be embarrassed for others to know, which as high-profile athletes could make them susceptible to coercion.
If a nation state is serious about compromising devices, it is likely they would be using zero-day attacks, threats that are not detected by common security tools. Today, most people do not see their mobile phone or tablets as a risk and so many have very weak security; easy to guess passwords, no anti-threat controls and are likely to click on anything that pops up.
With the current global tensions occurring around the world, you have to consider what is the data on each device worth
If hackers attempt to compromise the mobile phones or tablets used by athletes or the traveling delegation from any nation in Beijing, there is a high likelihood they will be trying to install spyware and remote access trojans; software that allows the device to be controlled by third parties.
Consider if you will, how many people will be in a local proximity at different times of the games, country team meetings, key ceremonies. If hackers can compromise one device using the communications on that device, such as Bluetooth or other local peer-to-peer capabilities, they could analyse and compromise many other devices at the same time.
I do not anticipate US athletes being the only nation targeted. In fact, all nations are at risk. However, with the current global tensions occurring around the world, you have to consider what is the data on each device worth, which is loosely linked to the net-worth of the individual. But more importantly, you need to also consider what is that individual athlete or delegation representative worth and that is where the nationality of the device owner is key.
James Maude, Lead Cyber Security Researcher, BeyondTrust
There is an identity angle here for us as well. It is all well and good using burner phones but if these are used to sign into accounts then there is an opportunity for device compromise to lead to identity compromise. A device these days can be temporary and easily replaced however a user’s digital identity is far more permanent.
A device these days can be temporary and easily replaced however a user’s digital identity is far more permanent.
As such it is as important, if not more, to protect the users’ identity and access as it is not the mobile device that magically grants access to data but the identities and the access these allow.
Joseph Carson, Chief Security Scientist & Advisory CISO, Delinea
It really depends on what risks your personal cell phone could expose. So before deciding to use a burner phone you should really understand what risks you are trying to reduce. If your cell phone is an extension of everything you do aka your complete digital life such as health data, personal information, financial information, election voting to business data then you should really consider if your phone gets fully compromised what would the impact be to you personally and your company.
It is also important that people understand that a burner phone does not mean a second phone and it means that you can easily wipe it clean, cannot be personally traced to you and you do not access any sensitive data from that phone so you would simply use an encrypted messaging service that is temporary for that period of time.
When going through any border crossing most have the rights to check your electronic devices and possibly clone them
Honestly while travelling to many countries not just China, you should consider the same practice as when going through any Border crossing most have the rights to check your electronic devices and possibly clone them. So yes, while China is top of mind right now you should always consider what other countries laws could result in the same compromise and risks.
When inside a controlled network, anything you do online is already filtered and might not be the official website you think it is. So, it is very easy to insert malware that could steal credentials, passwords, exfiltrate sensitive data, steal identities, embed backdoor agents and much more.
It is not only a risk for US sports citizens but all citizens from around the world who should be vigorous and cautious when bringing devices that contain sensitive data or could be used later by attackers to gain persistent access long after the Olympics is over. The Olympics is the perfect venue to be able to infect as many people as possible.
Steve Cottrell, CTO EMEA, Vectra AI
A very sophisticated culture of surveillance and censorship exists in China, and it IS worth noting that Chinese laws differ markedly from Western ones. Within China, authorities can request access to and access any data being transmitted within its geographical territory.
The official Olympic games application, which all athletes and officials are required to use, has been shown to have significant vulnerabilities that if exploited could lead to data on the handset being compromised.
Within China, authorities can request access to and access any data being transmitted
Chinese authorities are deeply concerned about protecting China’s image both at home and overseas which has led them to become the world’s leading advanced digital authoritarian state. The Olympic Games application has been shown to contain censorship capabilities which are designed to safeguard the official State narrative and ensure China is perceived in a positive light.
Upon their arrival, athletes should expect to have their phones voice and data intercepted. There are a number of national security laws which are enforced that compel all communications companies to provide the information to the state’s intelligence and security services upon request.
Top executives indicate switching to a burner may not be sufficient, and it is equally important to avoid accessing personal and organisational accounts.
