A staggering 1 billion users of Chinese keyboard apps are at risk of having their keystrokes exposed to malicious actors due to significant security vulnerabilities discovered in cloud-based pinyin keyboard apps. The findings, uncovered by the Citizen Lab, reveal weaknesses in eight out of nine apps from prominent vendors like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. Huawei’s keyboard app is the only one that does not have any security shortcomings.
The vulnerabilities could be exploited to completely reveal the contents of users’ keystrokes in transit, according to researchers Jeffrey Knockel, Mona Wang, and Zoë Reichert. This is particularly concerning given the widespread use of these apps, with Input Method Editors (IMEs) from Sogou, Baidu, and iFlytek accounting for a significant market share.
The identified issues include
- Tencent QQ Pinyin’s vulnerability to a CBC padding oracle attack, which could allow attackers to recover plaintext.
- Baidu IME’s bug in the BAIDUv3.1 encryption protocol, which allows network eavesdroppers to decrypt network transmissions and extract typed text on Windows.
- iFlytek IME’s Android app’s insufficient encryption, which allows network eavesdroppers to recover plaintext.
- Samsung Keyboard on Android’s transmission of keystroke data via plain, unencrypted HTTP.
- Xiaomi, OPPO, Vivo, and Honor’s preinstallation of vulnerable keyboard apps from Baidu, iFlytek, and Sogou.
Successful exploitation of these vulnerabilities could permit adversaries to decrypt Chinese mobile users’ keystrokes entirely passively without sending any additional network traffic. Following responsible disclosure, all keyboard app developers except Honor and Tencent (QQ Pinyin) have addressed the issues as of April 1, 2024.
Successful exploitation of these vulnerabilities could permit adversaries to decrypt Chinese mobile users’ keystrokes entirely passively without sending any additional network traffic
To mitigate these privacy issues, users are advised to keep their apps and operating systems up-to-date and switch to a keyboard app that entirely operates on-device. App developers are recommended to use well-tested and standard encryption protocols instead of developing homegrown versions that could have security problems. App store operators should not geoblock security updates and allow developers to attest to all data being transmitted with encryption.
The Citizen Lab theorizes that Chinese app developers may be less inclined to use cryptographic standards perceived as “Western” due to concerns that they may contain backdoors, prompting them to develop in-house ciphers. Given the scope of these vulnerabilities, the sensitivity of what users type on their devices, and the ease with which these vulnerabilities may have been discovered, it is possible that such users’ keystrokes may have also been under mass surveillance.
The severity of these vulnerabilities highlights the need for increased security measures in the development of keyboard apps, particularly those handling sensitive user data. Users are urged to take immediate action to protect their privacy and security.
