Chinese keyboard apps have a vulnerability and reveal what users are typing
Researchers at the University of Toronto have found an encryption gap in keyboard apps that makes users vulnerable to eavesdropping attacks.
Vulnerabilities in keyboard apps make inputs accessible to eavesdroppers.
(Bild: Bits And Splits/Shutterstock.com)
Keyboard apps for more efficient input of Chinese characters are used by Chinese people worldwide and are ubiquitous on Chinese devices. However, almost all of these apps have a security vulnerability that makes it possible to spy on users as they type. The keystroke data that these apps send to the cloud is intercepted.
Gap for hackers and intelligence services
Researchers at Citizen Lab, a technology and security research lab affiliated with the University of Toronto, have discovered that the vulnerability has existed for years and could have been exploited by cybercriminals and government surveillance agencies. The four most popular keyboard apps are developed by major Chinese companies such as Baidu, Tencent and iFlytek and cover virtually all Chinese typing styles.
The researchers also examined the keyboard apps that are pre-installed on Android phones sold in China: Almost all third-party apps and all Android phones with pre-installed keyboards failed to protect users by properly encrypting the content they typed. Only one smartphone from the manufacturer Huawei was found to have no such security vulnerability.
Missing TLS protocol
Back in August 2023, the Citizen Lab researchers discovered that the popular keyboard app Sogou did not use Transport Layer Security (TLS) when transmitting keystroke data to its cloud server for better typing predictions. TLS is the world's most widely used encryption standard and protects 90 percent of all web connections from eavesdroppers. Without TLS, however, keystrokes can be intercepted by third parties. Although Sogou fixed the problem after it became known last year, many pre-installed Sogou keyboards are not up to date and can still be intercepted. Most of the vulnerabilities were closed after the researchers contacted the keyboard app manufacturers. However, some companies such as QQ Pinyin and Baidu did not respond, so the vulnerability still exists in some apps and phones, as well as in all keyboard apps that have not been updated to the latest version.
Read also
Sicherheitsupdates: Angreifer können GitLab-Accounts übernehmen
Zugriffsmanagement: Kritische Admin-Lücke in Delinea Secret Server geschlossen
FAQ: Wie geht es jetzt mit Tiktok weiter?
Nun ist Biden am Zug: Große Mehrheit im US-Senat für Zwangsverkauf von TikTok
Chrome: Another zero-day vulnerability closed with update
(vat)