Chinese Keyboard Apps Open 1B People to Eavesdropping

Nearly all keyboard apps that allow users to enter Chinese characters into their Android, iOS, or other mobile devices are vulnerable to attacks that allow an adversary to capture the entirety of their keystrokes.

This includes data such as login credentials, financial information, and messages that would otherwise be end-to-end encrypted, a new study by Toronto University's Citizen Lab has uncovered.

Ubiquitous Problem

For the study, researchers at the lab considered cloud-based Pinyin apps (which render Chinese characters into words spelled with roman letters) from nine vendors selling to users in China: Baidu, Samsung, Huawei, Tencent, Xiaomi, Vivo, OPPO, iFlytek, and Honor. Their investigation showed all but the app from Huawei to be transmitting keystroke data to the cloud in a manner that enabled a passive eavesdropper to read the contents in clear text and with little difficulty. Citizen Lab researchers, who have earned a reputation over the years for exposing multiple cyber espionage, surveillance, and other threats targeted at mobile users and civil society, said each of them contain at least one exploitable vulnerability in how they handle transmissions of user keystrokes to the cloud.

The scope of vulnerabilities should not be underestimated, Citizen Lab researchers Jeffrey Knockel, Mona Wang and Zoe Reichert wrote in a report summarizing their findings this week: The researchers from Citizen Lab found that 76% of keyboard app users in mainland China, in fact, use a Pinyin keyboard to input Chinese characters.

"All of the vulnerabilities that we covered in this report can be exploited entirely passively without sending any additional network traffic," the researchers said. And to boot, the vulnerabilities were easy to discover and do not require any technological sophistication to exploit, they noted.  "As such, we might wonder, are these vulnerabilities actively under mass exploitation?"

Each of the vulnerable Pinyin keyboard apps that Citizen Lab examined had both a local, on-device component and a cloud-based prediction service for handling long strings of syllables and particularly complex characters. Of the nine apps they looked at, three were from mobile software developers — Tencent, Baidu, and iFlytek. The remaining five were apps that Samsung, Xiaomi, OPPO, Vivo, and Honor — all mobile device manufacturers — had either developed on their own or had integrated into their devices from a third-party developer.

Exploitable via Active & Passive Methods

Methods of exploitation differ for each app. Tencent's QQ Pinyin app for Android and Windows for instance had a vulnerability that allowed the researchers to create a working exploit for decrypting keystrokes via active eavesdropping methods. Baidu's IME for Windows contained a similar vulnerability, for which Citizen Lab created a working exploit for decrypting keystroke data via both active and passive eavesdropping methods.

The researchers found other encrypted related privacy and security weaknesses in the Baidu's iOS and Android versions but did not develop exploits for them. iFlytek's app for Android had a vulnerability that allowed a passive eavesdropper to recover in plaintext keyboard transmissions because of insufficient mobile encryption.

On the hardware vendor side, Samsung's homegrown keyboard app offered no encryption at all and instead sent keystroke transmissions in the clear. Samsung also offers users the option of either using Tencent's Sogou app or an app from Baidu on their devices. Of the two apps, Citizen Lab identified Baidu's keyboard app as being vulnerable to attack.

The researchers were unable to identify any issue with Vivo's internally developed Pinyin keyboard app but had a working exploit for a vulnerability they discovered in a Tencent app that is also available on Vivo's devices.

The third-party Pinyin apps (from Baidu, Tencent, and iFlytek) that are available with devices from the other mobile device makers all had exploitable vulnerabilities as well.

These are not uncommon issues, it turns out. Last year, Citizen Labs had conducted a separate investigation in Tencent's Sogou — used by some 450 million people in China — and found vulnerabilities that exposed keystrokes to eavesdropping attacks.

"Combining the vulnerabilities discovered in this and our previous report analyzing Sogou's keyboard apps, we estimate that up to one billion users are affected by these vulnerabilities," Citizen Lab said.

The vulnerabilities could enable mass surveillance of Chinese mobile device users — including by signals intelligence services belonging to the so-called Five Eyes nations — US, UK, Canada, Australia, and New Zealand — Citizen Lab said; the vulnerabilities in the keyboard apps that Citizen Lab discovered in its new research are very similar to vulnerabilities in the China-developed UC browser that intelligence agencies from these countries exploited for surveillance purposes, the report noted.