Almost all keyboard apps that allow users to input Chinese characters into their Android, iOS, or other mobile devices are vulnerable to attacks that allow an adversary to capture the entire keystroke.
This includes data like login credentials, financial information and messages that would otherwise be encrypted end-to-end, a new study from the University of Toronto’s Citizen Lab has found.
Omnipresent problem
For the study, researchers at the lab looked at cloud-based Pinyin apps (which transform Chinese characters into words written with Roman letters) from nine vendors selling to users in China: Baidu, Samsung, Huawei, Tencent, Xiaomi, Vivo, OPPO, iFlytek and Honor. Their investigation showed that all but Huawei’s app transmitted keyboard data to the cloud in a way that allowed a passive eavesdropper to read the contents in clear text and with little difficulty. Researchers at Citizen Lab, who have earned a reputation over the years for having exposed multiple cases of cyber espionage, surveillance and other threats targeting mobile users and civil society, said each contains at least one exploitable vulnerability in how they handle transmissions of user keystrokes to the cloud.
The scope of the vulnerabilities should not be underestimated, Citizen Lab researchers Jeffrey Knockel, Mona Wang and Zoe Reichert wrote in a report summarizing their findings this week: Citizen Lab researchers found that 76% of app users For keyboard in mainland China, in fact, use a Pinyin keyboard to enter Chinese characters.
“All vulnerabilities covered in this report can be exploited in an entirely passive manner without sending additional network traffic,” the researchers said. Furthermore, they noted, the vulnerabilities are easy to discover and require no technological sophistication to exploit. “As such, we might ask, are these vulnerabilities actively being exploited on a mass scale?”
Each of the vulnerable Pinyin keyboard apps examined by Citizen Lab had both a local component on the device and a cloud-based prediction service for handling long strings of syllables and particularly complex characters. Of the nine apps reviewed, three were from mobile software developers: Tencent, Baidu and iFlytek. The remaining five were apps that Samsung, Xiaomi, OPPO, Vivo and Honor, all mobile device makers, had developed themselves or had integrated into their devices by a third-party developer.
Exploitable via active and passive methods
The exploitation methods differ for each app. Tencent’s QQ Pinyin app for Android and Windows, for example, had a vulnerability that allowed researchers to create a working exploit to decrypt keystrokes via active eavesdropping methods. Baidu’s IME for Windows contained a similar vulnerability, for which Citizen Lab created a working exploit to decrypt typed data via both active and passive interception methods.
Researchers have discovered other privacy and security-related weaknesses encrypted in Baidu’s iOS and Android versions, but have not developed exploits for them. The iFlytek app for Android had a vulnerability that allowed a passive eavesdropper to revert keyboard transmissions to plain text due to insufficient mobile encryption.
From the hardware vendor’s perspective, Samsung’s internally developed keyboard app offered no encryption and instead sent keystroke transmissions in the clear. Samsung also gives users the option to use Tencent’s Sogou app or a Baidu app on their devices. Of the two apps, Citizen Lab identified Baidu’s keyboard app as vulnerable to attacks.
The researchers were unable to identify any problems with Vivo’s internally developed Pinyin keyboard app, but they had a working exploit for a vulnerability they discovered in a Tencent app also available on Vivo devices.
Third-party Pinyin apps (from Baidu, Tencent, and iFlytek) available with devices from other mobile manufacturers also all had exploitable vulnerabilities.
It turns out that these are not uncommon problems. Last year, Citizen Labs conducted a separate investigation into Tencent’s Sogou, used by about 450 million people in China, and discovered vulnerabilities that exposed keystrokes to eavesdropping attacks.
“Combining the vulnerabilities discovered in this and our previous report analyzing Sogou keyboard apps, we estimate that up to one billion users are affected by these vulnerabilities,” Citizen Lab said.
Vulnerabilities could allow mass surveillance of Chinese mobile device users, including through intelligence services belonging to the so-called Five Eyes nations: the United States, United Kingdom, Canada, Australia and New Zealand, Citizen Lab said; the vulnerabilities in keyboard apps discovered by Citizen Lab in its new research are very similar to vulnerabilities in the Chinese-developed UC browser that these countries’ intelligence agencies have exploited for surveillance purposes, the report notes.