The not-so-silent type: Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers - The Citizen Lab
citizenlab.caIn this report, we examine cloud-based pinyin keyboard apps from nine vendors (Baidu, Honor, Huawei, iFlyTek, OPPO, Samsung, Tencent, Vivo, and Xiaomi) for vulnerabilities in how the apps transmit user keystrokes. Our analysis found that eight of the nine apps identified contained vulnerabilities that could be exploited to completely reveal the contents of users’ keystrokes in transit. We estimate that up to one billion users could be vulnerable to having all of their keystrokes intercepted, constituting a tremendous risk to user security.
You must log in or register to comment.
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 57 users / day
- 383 users / week
- 1.5K users / month
- 5.7K users / 6 months
- 1 subscriber
- 3.12K Posts
- 78K Comments
- Modlog
So basically, even after these vulns are fixed, the attacker can just NSL the cloud providers and, boom, surveillance slurping continues.
TLDR:
This study mainly targets Pinyin input, the most popular Chinese input method (hence 1bn potentially affected).
Vulnerabilities were due to the keyboards’ use of the cloud for dictionaries used in IMEs (essentially a conversion engine). Such IMEs are must-haves for certain languages and converts A-Zs to other scripts. Lack of E2EE resulted in exposed keystrokes.
Personally I would recommend switching to something which uses a local dictionary. RIME is a good FOSS alternative and can be configured to work on Android via fcitx.
While the study doesn’t cover English keyboards, this is as good a reminder as any not to use in-built dictionaries in general unless you have to.
Thanks for the tl;dr and suggestions.
If you are in China you also have to be very worried about the Chinese government. This is just one out of hundreds of other tools they have to detect disloyalty
Thank you :)
I usually recommend FOSS keyboards, seems to be the safer bet
And with a firewall that blocks them from internet access
They shouldn’t need internet access
Swype is not listed in this document.
I didn’t read far enough to see if it only affected pinyin (Chinese) cloud features or all languages.
A billion vulnerable users is wild. I’m sure there are government entities taking advantage of this already
Oh yes, one example is Naomi Wu.
Yeah and didn’t she work with Citizen Lab in the past about this? I’m wondering what’s new here.
What’s new is that apparently “We reported these vulnerabilities to all nine vendors. Most vendors responded, took the issue seriously, and fixed the reported vulnerabilities, although some keyboard apps remain vulnerable.”
Damn, I didn’t know what had happened to her. I really liked her content.