Give smart phones a rest
European visitors to the FIFA World Cup Qatar 2022 must change their communications game in Qatar, warns Synopsys Cybersecurity Research Center (CyRC) an expert on the local conditions. CyRC said England fans, for example, might be better off leaving their smartphones on the bench for the fixture against Iran in the Khalifa Stadium today. Instead, CrRC has suggested they give Burner Handsets a debut in Riyyala because, as security consultant Travis Biehn warns, the England phones will be left vulnerable by unfamiliar software which might lead them to fall foul of local authorities.
Scouts from agit-prop web site Politico have collated the dangers allegedly posed to 1.5 million visitors by local conditions, namely two Qatar World Cup apps that they are obliged to ingest on their phones. The first download is the official World Cup app Hayya. Secondly, those needing health services must download the infection-tracking app Ehteraz. Both apps have been outed as spyware by security experts because they secretly give the Qatari authorities omnipotent access to each user’s data, allowing them to read, delete or change content and even make direct calls. “I would never bring my mobile phone on a visit to Qatar,” said Øyvind Vasaasen, head of security at NRK.
After reviewing the warnings of Europe’s regulators NRK warned that Qatar’s World Cup apps are a massive privacy risk. The German Federal Commissioner for Data Protection and Freedom of Information (BFDI) says privacy has got absolutely no chance because visitors are being asked to download apps that go much further than their privacy notices indicate. One app notes which numbers each visitor has stored on their phone and whether they call them during the tournament. Another software run, once installed, sets out to actively prevents the device from going into sleep mode. “It is obvious that the data used by the apps is transmitted to a central server,” said BFDI’s guidance.
The Norwegian Comms authority NKOM regulator said the extensive access demanded by the apps means that visitors to Qatar, especially vulnerable groups, will be monitored by the Qatari authorities. French regulator CNIL warned fans to take “special care” with photos and videos and told travellers to install the apps just before departure and delete them as soon as possible. “In France, we protect the fundamental rights of individuals and the protection of their data. This is not the case in Qatar,” tweeted Junior Minister for Digital Jean-Noël Barrot.
The apps may collect evidence that would be used either to watch potential enemies, allow police to arrest people for exercising basic human rights, or act as evidence after arrest in corrupt courts enforcing incredibly draconian laws, according to Jamie Boote, software security consultant at the Synopsys Software Integrity Group.
Additionally, the app does not offer two factor protection, which opens it up to brute force attacks by hackers. The COVID contract tracing app, “EHTERAZ 12.4.7,” contained at least eight outdated software components that themselves contain serious security flaws, including 13 critical severity vulnerabilities and 20 high severity vulnerabilities. The most dubious software components are old versions of message processing libraries like GSON and Expat, which contain serious memory corruption vulnerabilities. These components are likely used for processing messages from the application’s back-end server, as well as image processing libraries libpng and libjpeg-turbo.
“The second you touch down in Qatar your phone no long belongs to you. Don’t bring any files or data that you don’t want the Qatari government peaking at. Bring a burner phone that can bin the minute you leave. Dispose of the potentially compromised device when you get home so the malware won’t continue to spy on your communications,” said Boote.