Chinese Keyboard Applications Expose One Billion Users to Eavesdropping

A new study from the Citizen Lab at the University of Toronto has revealed alarming vulnerabilities across nearly all major keyboard apps used to input Chinese characters on mobile devices. These flaws enable adversaries to covertly capture users’ keystrokes, compromising sensitive data like login credentials, financial information, and encrypted messages.

The investigation examined nine leading cloud-based Pinyin keyboard apps from vendors like Baidu, Samsung, Huawei, Tencent, Xiaomi, and others used by Chinese consumers. Disturbingly, all but Huawei’s app were found transmitting user keystrokes to the cloud in an insecure manner that allowed passive eavesdropping and plaintext exposure of data.

“The vulnerabilities were easy to discover and did not require technological sophistication to exploit,” the researchers stated, questioning if they are already under active mass exploitation.

Differing Exploits, Widespread

Impact Each vulnerable app handled keystroke transmissions differently, enabling various active and passive attack vectors. Some used insufficient encryption, while others sent data entirely unencrypted. The researchers successfully created working exploits against multiple apps to recover plaintext keystrokes via eavesdropping.

With an estimated 76% of mainland Chinese users relying on these Pinyin keyboards, the impact is immense. Citizen Lab estimates up to one billion users could be affected when combined with previous vulnerabilities they reported in Tencent’s Sogou keyboard app last year.

Surveillance Implications

The researchers warn the vulnerabilities are likely enabling mass surveillance of Chinese mobile users by nation-state actors like the Five Eyes intelligence alliance. Similar flaws were previously exploited from the Chinese UC browser app for surveillance purposes.

While concerning for individual privacy, the broad exposure of encrypted communications also represents a significant potential intelligence loophole that could undermine national security monitoring capabilities.

Citizen Lab has forwarded its findings to the affected vendors, but notes that fundamental secure redesigns may be necessary to comprehensively address these systemic vulnerabilities pervading Chinese mobile input apps.