A survey conducted by CitizenLab revealed concerning findings regarding digital security. When examining the virtual keyboards of nine Chinese companies – Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi – it was discovered that eight of them have a vulnerability. This vulnerability exposes users’ typing data to network spy apps.
Please follow us on Twitter and Facebook.
The information uncovered is potentially hazardous and has the potential to affect over a billion people, according to the organization’s estimates. Users’ typing histories could disclose private information such as access credentials, credit card numbers, and any other sensitive data entered while using the keyboard.
Huawei was the only company analyzed that did not exhibit this vulnerability. However, all eight of the other manufacturers still transmitted typing data on certain products, particularly cloud-based keyboards. These keyboards are linked to specific applications and have the capability to connect to the internet via the cloud.
This situation isn’t entirely novel. Several years ago, Razer disclosed the connectivity of its Synapse app, which comes pre-installed on various accessories, including keyboards. This app allowed users to input commands like “change the color of the RGB lights on my keyboard” via Alexa. Shortly after its launch, a Google security researcher uncovered a loophole in this connectivity, enabling the remote execution of malicious code. Razer swiftly addressed this flaw with a patch released just 24 hours after the news broke.
In CitizenLab’s research, the situation appears to be more alarming. Various types of attacks can exploit these vulnerabilities, and not all keyboards are physical; some are used on Android devices as well. The security organization has compiled a list detailing these potential vulnerabilities:
- Tencent QQ Pinyin is susceptible to an attack known as “CDC Padding Oracle,” which can retrieve typed data and convert it into text format.
- Baidu IME contains a bug in the “BAIDUv3.1” protocol, allowing network monitoring apps to decrypt online transmissions on Windows and extract typed text.
- The iFlytek IME Android app is vulnerable to network monitoring apps, enabling them to decrypt online transmissions and extract typed text.
- Samsung Keyboard, when used on Android, sends typing data via an unencrypted HTTP protocol.
- Xiaomi keyboards are vulnerable to the same attacks affecting Baidu, Sogou, and iFlytek, as they are pre-installed on these models.
- OPPO keyboards are susceptible to the same attacks as Baidu and Sogou, as they come pre-installed on these models.
- Vivo keyboards are vulnerable to the same attacks as Sogou, as they come pre-installed on these models.
- Honor keyboards are susceptible to the same attacks as Baidu, as they come pre-installed on these models.
Sogou was not specifically analyzed in this report, but it was identified as a company affected by a similar breach in a previous CitizenLab document.
The situation was further complicated by the challenge of detecting these vulnerabilities. Typically, when a hacker exploits a vulnerability online, there’s often an uptick in data traffic, as the attacker usually needs to send their own data packets. This spike in traffic can be detected by certain security measures.
However, this isn’t the case with these flaws. Because they’re passive, hackers don’t need to generate additional traffic, making it harder to detect their activities—not entirely invisible, but certainly more elusive.
In practical terms, the likelihood of predicting such an attack would be very low. It would likely only become apparent during the attack itself or much later, after the damage has been done.
Most Companies (But Not All) Have Already Fixed the Problem
CitizenLab adhered to ethical protocols for disclosing security flaws by reaching out to the nine companies involved. Despite Huawei not being affected, it was still included in the analysis, and all companies were informed of the issue.
The security organization reported that most companies have already addressed the flaws through update patches released on April 1, 2024. Samsung recently notified users about the update, albeit without directly mentioning the issue. However, Honor and Tencent have yet to respond to contact attempts.
According to the company, it’s theorized that manufacturers may have utilized internally developed encryption mechanisms due to cultural reasons. An excerpt from the report suggests that companies might feel less inclined to adopt protection standards perceived as ‘Western’ due to concerns about their own vulnerabilities.