1 Billion Chinese Keyboard Users Keystrokes At Risk

Recent investigations by Citizen Lab have uncovered significant security vulnerabilities in cloud-based pinyin keyboard applications, which could potentially allow malicious actors to access and decode users’ keystrokes. This finding is particularly alarming given the widespread usage of these apps, affecting close to one billion users globally. The security flaws span across multiple vendors including prominent names like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi, with Huawei being the only vendor not reporting any issues.

Understanding the Vulnerabilities

These vulnerabilities are deeply concerning because they provide a gateway for attackers to intercept and decipher the contents of users' keystrokes while they are being transmitted over the network. For example, Tencent’s QQ Pinyin was found susceptible to a CBC padding oracle attack, allowing attackers to recover plaintext data. Similarly, Baidu’s IME was vulnerable to decryption by network eavesdroppers due to flaws in its encryption protocol, specifically BAIDUv3.1. In the case of Samsung’s Android keyboard, the app was transmitting keystroke data via plain, unencrypted HTTP, making it trivial for anyone on the same network to capture this data.

Moreover, multiple devices come pre-installed with these vulnerable keyboard apps, which exacerbates the problem. Devices from Xiaomi, OPPO, Vivo, and Honor were noted for their pre-installed apps, which inherit the aforementioned security flaws.

The implications of these vulnerabilities are severe. Keyboard apps are used for typing sensitive information such as passwords, credit card numbers, personal messages, and more. The exposure of such data could lead to significant privacy breaches, identity theft, and financial fraud. Additionally, since these vulnerabilities can be exploited passively—meaning an attacker does not need to generate additional network traffic to intercept the data—the exploitation can go undetected.

Citizen Lab’s Recommendations

In light of these findings, users are strongly urged to update their apps and operating systems regularly to mitigate these vulnerabilities. Switching to keyboard apps that process data entirely on-device rather than sending it to the cloud can also significantly enhance security.

Developers are encouraged to employ well-tested, standard encryption protocols rather than creating their own, which often contain security flaws. App stores should ensure that security updates are not restricted by geoblocking and should allow developers to certify that all transmitted data is encrypted.

Citizen Lab also speculated on the reluctance of Chinese developers to adopt Western cryptographic standards, possibly due to fears of embedded backdoors. Instead, these developers often opt to create proprietary encryption methods, which unfortunately tend to be less secure.

The breadth of these vulnerabilities, combined with the sensitive nature of the data involved and the ease of exploitation, raises concerns about mass surveillance. This is particularly pertinent given historical instances where similar vulnerabilities in Chinese applications were leveraged by intelligence agencies, such as those from the Five Eyes alliance, for espionage purposes.

The discovery of these vulnerabilities in widely-used keyboard applications highlights a critical area of cybersecurity that requires immediate attention. Users and developers alike must be proactive in implementing security measures to protect sensitive data from being compromised. As our reliance on digital communication tools increases, so does the need for robust cybersecurity practices to safeguard our digital lives.