116

Almost all Chinese keyboards have severe security flaws that can be (mis)used for mass surveillance, report reveals (citizenlab.ca)

submitted 2 months ago by [email protected] to c/[email protected]

25 comments fedilink hide all child comments

Cross posted from: https://beehaw.org/post/13390116

Typing logographic languages such as Chinese is more difficult than typing alphabetic languages, where each letter can be represented by one key. There is no way to fit the tens of thousands of Chinese characters that exist onto a single keyboard. Despite this obvious challenge, technologies have developed which make typing in Chinese possible. To enable the input of Chinese characters, a writer will generally use a keyboard app with an “Input Method Editor” (IME).

Almost all keyboard apps used by Chinese people around the globe share a security vulnerability that can be exploited to to detect what users are typing, researchers at the Citizen Lab, a technology and security research lab affiliated with the University of Toronto, have found.

Acvording to Citizen Lab, the keystroke data that these apps send to the cloud to be intercepted, has existed for years and could have been exploited by cybercriminals and state surveillance groups.

"Our analysis revealed critical vulnerabilities in keyboard apps from eight out of the nine vendors in which we could exploit that vulnerability to completely reveal the contents of users’ keystrokes in transit," a new report says, adding that "most of the vulnerable apps can be exploited by an entirely passive network eavesdropper".

Combining the vulnerabilities discovered in this and our previous report analyzing Sogou’s keyboard apps, Citizen Lab estimates that up to one billion users are affected by these vulnerabilities. "Given the scope of these vulnerabilities and the ease with which these vulnerabilities may have been discovered, it is possible that such users’ keystrokes may have also been under mass surveillance," the report says.

In their report, the researchers analyzed the security of cloud-based pinyin keyboard apps from nine vendors: Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi.

We examined these apps’ transmission of users’ keystrokes for vulnerabilities.

In eght out of the nine vendor, the researchers could exploit the vulnerability to completely reveal the contents of users’ keystrokes in transit, the only exception being a phone by Huawei.

Having the capability to read what users type on their devices is of interest to a number of actors — including government intelligence agencies that operate globally — because it may encompass exceptionally sensitive information about users and their contacts including financial information, login credentials such as usernames or passwords, and messages that are otherwise end-to-end encrypted.

top 25 comments

sorted by: hot top controversial new old

[-] [email protected] 77 points 2 months ago* (last edited 2 months ago)

This is something that the amazing Naomi Wu brought up for years before, and was ordered to stop publishing by the local government. It was about the same thing. It's sometimes misrepresented as being about Signal, but her point was: There's no point in using a secure messaging app like Signal if your keyboard (IME) leaks everything you write! So she was making the exact same point as in this article.

I really miss her content. 😢

[-] [email protected] 37 points 2 months ago

Didn't know about her, but now I do. Sounds like a great person on the side of users / the people.

Wu has been absent from social media since June 2023, reportedly after receiving a police visit due to her public criticisms of Signal and Chinese keyboard apps.

Sigh…

[-] [email protected] 26 points 2 months ago* (last edited 2 months ago)

Yeah she clarified that literally, it's not linked in the article.

https://twitter.com/RealSexyCyborg/status/1677480809450835969

I can't find the source of her saying it was about the IME thing but I recall reading that from a person close to her. She had just raised it before all this happened. Edit: Oh wait, that's here: https://skepchick.org/2023/08/maker-naomi-wu-is-silenced-by-chinese-authorities-and-why-i-blame-elon-musk/ (This was linked on wikipedia)

And yes she's a great person, she was often criticised for being a CCP stooge but that was BS. She was as outspoken as one can be being in China (and unfortunately, clearly a bit more than that).

[-] [email protected] 12 points 2 months ago

Here's another one: https://www.hackingbutlegal.com/p/naomi-wu-and-the-silence-that-speaks-volumes

[-] [email protected] 8 points 2 months ago

The real nightmare here is that her girlfriend is a Uyghur.

[-] [email protected] 15 points 2 months ago

Hope she's doing well, shame what the CCP did to her

[-] [email protected] 33 points 2 months ago

yeah, it's a feature required by CCP

[-] [email protected] 23 points 2 months ago

"Flaws"

[-] [email protected] 4 points 2 months ago

Given that they explicitly ruled out interception at the cloud endpoint in this report, maybe? Then again, it could be a way of getting at it in situations where the server isn't totally compromised.

[-] [email protected] 8 points 2 months ago

Why do these keyboards make web requests while you type?

[-] [email protected] 9 points 2 months ago* (last edited 2 months ago)

From the article:

Because of the complexities of predicting which characters a user may want to type next, especially in logographic languages like Chinese, IMEs often offer “cloud-based” prediction services which reach out over the network. Enabling “cloud-based” features in these apps means that longer strings of syllables that users type will be transmitted to servers elsewhere.

[-] [email protected] 3 points 2 months ago

Must have missed that, cheers

[-] [email protected] 1 points 2 months ago

Yeah, no hate intended. Sometimes you can actually comment intelligently without reading the article at all.

[-] [email protected] 6 points 2 months ago

Because the world has long since surpassed far beyond 1984 levels of spying on unsuspecting innocent civilians.

[-] [email protected] 5 points 2 months ago

Essentially for predictive text: to make it easier to give good Chinese character suggestions when typing in Pinyin.

[-] [email protected] 1 points 2 months ago

Keyboards for typing Chinese can work completely without Internet connection. There's one in the F-Droid store: Guileless Bopomofo.

[-] [email protected] 1 points 2 months ago

As one user in this thread said, it might be a feature required by the CCP.

[-] [email protected] 7 points 2 months ago

I think you misspelled 'backdoors'.

[-] [email protected] 7 points 2 months ago

Can we all agree to call this vulnerability "Poobear"?

[-] [email protected] 4 points 2 months ago

I wonder how the built-in Google and Apple IMEs compare.

[-] [email protected] 3 points 2 months ago

So the NSA, FBI and CIA are thanking China for assisting in their efforts, right?

[-] [email protected] 8 points 2 months ago

Thanking? No. That would be impolitic.

Quietly using? They'd be foolish not to.

[-] [email protected] 1 points 2 months ago* (last edited 2 months ago)

Given that the FBI’s targets probably don’t type in Chinese or other logographic languages very often i doubt they care.

[-] [email protected] 1 points 2 months ago

Is my KU-0225 a security risk?

[-] [email protected] 5 points 2 months ago

As long as you ensure a US based entity is spying on you with it, and not a China based entity, then no.

this post was submitted on 25 Apr 2024

116 points (100.0% liked)

Technology

37340 readers

410 users here now

Rumors, happenings, and innovations in the technology sphere. If it's technological news or discussion of technology, it probably belongs here.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago

MODERATORS

[email protected]