FBI asks athletes to use burner phones during Beijing Winter Olympics

Due to cybersecurity concerns, the U.S. Federal Bureau of Investigation (FBI) has asked athletes participating in the February 2022 Beijing Winter Olympics and March 2022 Paralympics to use a temporary phone while at the games. Though the FBI is not aware of any specific cyber threats against the Olympics, athletes should err on the side of caution and remain vigilant, the federal agency says. In some Western countries, the National Olympic Committees are also advising their athletes to leave personal devices at home or use temporary phones.

Cyber actors could use a broad range of cyber activities to disrupt these events, including distributed denial of service (DDoS) attacks, ransomware, malware, social engineering, data theft or leaks, phishing campaigns, disinformation campaigns, or insider threats, and when successful, can block or disrupt the live broadcast of the event, steal or leak sensitive data, or impact public or private digital infrastructure supporting the Olympics.

In addition, participants and travelers should be very cautious of potential threats associated with mobile applications developed by “untrusted vendors,” which may require participants to download or use applications, increasing the opportunity for threat actors to steal personal information or install tracking tools, malicious code, or malware.

In addition, the use of new digital infrastructure and mobile applications, such as digital wallets or applications that track COVID testing or vaccination status, could also increase the opportunity for cyber actors to steal personal information or install tracking tools, malicious code, or malware, the FBI says. Athletes will be required to use the smartphone app, MY2022, which will be used to track the athletes’ health and travel data, which can be prone to data breaches and exploitation as well as the potential risks of being expanded to a broader range of social and political surveillance, according to an analysis of the My2022 app by Citizen Lab. In its analysis, Citizen Lab found a “simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped.”

“For most people, their cellphone represents the highest concentration of personal information, access credentials, and even pathways into corporate or government networks, so the idea of traveling “digitally nude” is meant to mitigate this risk. The secondary issue is the potential for a phone to be implanted with malware for later use, which is what the concept of “burning” the phone once finished is meant to mitigate,” says Casey Ellis, Founder and CTO at Bugcrowd, a California-based leader in crowdsourced cybersecurity.

Spectators will rely on remote streaming services and social media throughout the duration of the games. It's likely that threat actors could use social engineering and phishing campaigns leading up to and during the event to implant malware to disrupt networks broadcasting the event. In the 2018 PyeongChang Winter Olympics, for example, Russian cybercriminals conducted a destructive cyberattack during the opening ceremony with the aid of spearphishing campaigns and mobile applications.

In addition, cyber actors could use ransomware or other malicious tools and services available for purchase to execute DDoS attacks against internet service providers and television broadcast companies to interrupt service during the Olympics. Similarly, actors could target the networks of hotels, mass transit providers, ticketing services, event security infrastructure or similar Olympic support functions.

During the 2020 Tokyo Olympics and Paralympics, the NTT Corporation — which provided its services for the Tokyo Olympic & Paralympic Games — revealed there were more than 450 million attempted cyber-related incidents during the event. However, none were successful due to cybersecurity measures in place. While there were no major cyber disruptions, the most popular attack methods used were malware, email spoofing, phishing and the use of fake websites and streaming services designed to look like official Olympic service providers.

Recommendations

In addition to using a temporary phone, how can travelers stay safe? Ellis suggests that using a VPN, even over cellular networks, is a good idea — although this can often be difficult as “China’s Great Firewall tends to block privacy-preserving services,” he says.

Mark Lambert, Vice President of Products at ArmorCode, a California-based application security provider, says Bluetooth or Wi-Fi capabilities should be turned off when not in use. Discovery features should be disabled, and users should never connect to an unfamiliar source. “On a side note, be especially wary of internet connections broadcasting “Public Free Internet” when you cannot verify physically that you are connecting to a trustworthy SSID - e.g., a posted sign,” Lambert explains.

Regardless of whether athletes and press are using burner phones or not, they should be incredibly wary of any individual, app, or message that encourages them to share login credentials. “The risk of being phished on mobile exists regardless of the type of device or operating system,” explains Hank Schless, Senior Manager, Security Solutions at Lookout, a California-based endpoint-to-cloud security company. “Apps could easily be running malware in the background, especially if they aren’t being downloaded from a trusted source like the App Store or Play Store. Do your best to keep whatever device you choose to use with you at all times or locked up in a safe place.”

Lookout researchers also conducted an analysis of the My2022 app and found that it requires the user to enter some PII such as demographic information, passport information, travel and medical history. Schless shares there also appears to be a list of forbidden words for censorship purposes, a chat feature, and file transfer capabilities between users. He says, “Considering the likelihood that the Chinese government could be monitoring all of this data, users should not use the app for anything more than the bare minimum. By the same token, they should enter as little information as they’re required to.”

John Bambenek, Principal Threat Hunter at Netenrich, a California-based digital IT and security operations company, encourages athletes and other participants always to be mindful of their surroundings, use a dedicated card for the trip and keep others at home, and keep their internet usage to their burner phone or devices. “Keep in mind that China does censor internet content, and trying to evade such censorship to go to banned sites may get you in additional trouble. As a general rule, I’ve avoided having any sensitive conversations while in a country that might be an espionage risk and simply waited to have them while at home,” Bambenek explains.

For service providers and other relevant partners, the FBI suggests maintaining business continuity plans, reviewing or establishing security policies, user agreements, and patching plans to address current threats posed by malicious cyber actors.

A few other network best practices include:

Patch and update operating systems, software, and firmware as soon as manufacturer updates are available.
Regularly change network system and account passwords, and avoid reusing passwords for multiple accounts.
Utilize multi-factor authentication when possible.
Monitor remote access/Remote Desktop Protocol (RDP) logs and disable unused remote access/RDP ports.
Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
Regularly audit administrative user accounts and configure access controls under the concept of least privilege.
Regularly audit logs to ensure new accounts are legitimate users.
Scan the network for open and listening ports, and mediate unnecessary ones.
Identify and create offline backups for critical assets.
Implement network segmentation.
Automatically update antivirus and anti-malware solutions and conduct regular virus and malware scans.

In addition to the above network best practices, the FBI also recommends the following:

Maintain offline, encrypted backups of data. Regularly test those backups and keep them current.
Create, maintain, and exercise a basic cyber incident response plan that includes procedures for response and notification in a ransomware incident and plans for the possibility of critical systems being inaccessible for a period of time.
Provide end user awareness and training. To help prevent targeted social engineering, ransomware, and phishing scams, ensure that employees and stakeholders are aware of potential cyber threats and how they are delivered. Also, provide users with training on information security principles and techniques.
Employee knowledge of reporting procedures: Ensure that employees are aware of what to do and whom to contact when they see suspicious activity or suspect a cyberattack to help quickly and efficiently identify threats and employ mitigation strategies.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.