| Title | Almost Every Chinese Keyboard App Has a Security Flaw That Reveals What Users Type | |
| Date | Friday April 26, @08:46PM | |
| Author | janrinok | |
| Topic | ||
| from the dept. | ||
https://www.technologyreview.com/2024/04/24/1091740/chinese-keyboard-app-security-encryption/
Almost all keyboard apps used by Chinese people around the world share a security loophole that makes it possible to spy on what users are typing.
The vulnerability, which allows the keystroke data that these apps send to the cloud to be intercepted, has existed for years and could have been exploited by cybercriminals and state surveillance groups, according to researchers at the Citizen Lab, a technology and security research lab affiliated with the University of Toronto.
These apps help users type Chinese characters more efficiently and are ubiquitous on devices used by Chinese people. The four most popular apps—built by major internet companies like Baidu, Tencent, and iFlytek—basically account for all the typing methods that Chinese people use. Researchers also looked into the keyboard apps that come preinstalled on Android phones sold in China.
What they discovered was shocking. Almost every third-party app and every Android phone with preinstalled keyboards failed to protect users by properly encrypting the content they typed. A smartphone made by Huawei was the only device where no such security vulnerability was found.
In August 2023, the same researchers found that Sogou, one of the most popular keyboard apps, did not use Transport Layer Security (TLS) when transmitting keystroke data to its cloud server for better typing predictions. Without TLS, a widely adopted international cryptographic protocol that protects users from a known encryption loophole, keystrokes can be collected and then decrypted by third parties.
"Because we had so much luck looking at this one, we figured maybe this generalizes to the others, and they suffer from the same kinds of problems for the same reason that the one did," says Jeffrey Knockel, a senior research associate at the Citizen Lab, "and as it turns out, we were unfortunately right."
Even though Sogou fixed the issue after it was made public last year, some Sogou keyboards preinstalled on phones are not updated to the latest version, so they are still subject to eavesdropping.
This new finding shows that the vulnerability is far more widespread than previously believed.
[...] "The scale of this was really shocking to us," says Wang. "And also, these are completely different manufacturers making very similar mistakes independently of one another, which is just absolutely shocking as well."
The massive scale of the problem is compounded by the fact that these vulnerabilities aren't hard to exploit. "You don't need huge supercomputers crunching numbers to crack this. You don't need to collect terabytes of data to crack it," says Knockel. "If you're just a person who wants to target another person on your Wi-Fi, you could do that once you understand the vulnerability."
[...] One potential cause of the loopholes' ubiquity is that most of these keyboard apps were developed in the 2000s, before the TLS protocol was commonly adopted in software development. Even though the apps have been through numerous rounds of updates since then, inertia could have prevented developers from adopting a safer alternative.
The report points out that language barriers and different tech ecosystems prevent English- and Chinese-speaking security researchers from sharing information that could fix issues like this more quickly. For example, because Google's Play store is blocked in China, most Chinese apps are not available in Google Play, where Western researchers often go for apps to analyze.
Sometimes all it takes is a little additional effort. After two emails about the issue to iFlytek were met with silence, the Citizen Lab researchers changed the email title to Chinese and added a one-line summary in Chinese to the English text. Just three days later, they received an email from iFlytek, saying that the problem had been resolved.
| Links |
printed from SoylentNews, Almost Every Chinese Keyboard App Has a Security Flaw That Reveals What Users Type on 2024-05-08 10:12:43