Security vulnerabilities discovered in cloud-based Pinyin keyboard apps could be exploited to reveal user keystrokes to malicious actors.
The findings come from Citizen Lab, which discovered weaknesses in eight of nine apps from vendors such as Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo and Xiaomi. The only vendor whose keyboard app had no security issues is Huawei.
The vulnerabilities could be exploited to “fully reveal the contents of user keystrokes during transit,” researchers Jeffrey Knockel, Mona Wang and Zoë Reichert said.
The disclosure builds on previous research conducted by the interdisciplinary laboratory based at the University of Toronto, which identified cryptographic flaws in Tencent’s Sogou Input method last August.
Overall, nearly one billion users are estimated to be affected by this class of vulnerabilities, with Input Method Editors (IMEs) from Sogou, Baidu, and iFlytek accounting for a huge chunk of the market share.
A summary of the issues identified is as follows:
- Tencent QQ Pinyin, which is vulnerable to a CBC stuffing Oracle attack that could make plaintext recovery possible
- Baidu IME, which allows network eavesdroppers to decrypt network transmissions and extract typed text on Windows due to a bug in the BAIDUv3.1 encryption protocol
- iFlytek IME, whose Android app allows network eavesdroppers to recover the plaintext of insufficiently encrypted network transmissions
- Samsung keyboard on Android, which transmits keystroke data via plain, unencrypted HTTP
- Xiaomi, which comes pre-installed with keyboard apps from Baidu, iFlytek, and Sogou (and therefore susceptible to the same flaws mentioned above)
- OPPO, which comes pre-installed with keyboard apps from Baidu and Sogou (and therefore susceptible to the same flaws mentioned above)
- Vivo, which comes pre-installed with Sogou IME (and therefore subject to the same flaw mentioned above)
- Honor, which comes pre-installed with Baidu IME (and therefore subject to the same flaw mentioned above)
Successfully exploiting these vulnerabilities could allow hackers to decrypt keystrokes typed by Chinese mobile users entirely passively without sending additional network traffic. Following the responsible disclosure, all keyboard app developers except Honor and Tencent (QQ Pinyin) have addressed the issues as of April 1, 2024.
Users are advised to keep their apps and operating systems updated and switch to a keyboard app that works entirely on the device to mitigate these privacy concerns.
Other recommendations urge app developers to use standard, well-tested encryption protocols instead of developing in-house versions that may have security issues. App store operators were also urged not to geo-block security updates and to allow developers to attest that all data is transmitted encrypted.
Citizen Lab theorized that it’s possible that Chinese app developers are less likely to use “Western” cryptographic standards due to concerns that they may contain backdoors, prompting them to develop in-house ciphers.
“Given the scope of these vulnerabilities, the sensitivity of what users type on their devices, the ease with which these vulnerabilities could have been discovered, and the fact that Five Eyes has previously exploited similar vulnerabilities in Chinese surveillance apps, it is It is possible that such vulnerabilities Even the keys pressed by users may have been subjected to mass surveillance,” the researchers said.