Cross posted from: https://beehaw.org/post/13390116
Typing logographic languages such as Chinese is more difficult than typing alphabetic languages, where each letter can be represented by one key. There is no way to fit the tens of thousands of Chinese characters that exist onto a single keyboard. Despite this obvious challenge, technologies have developed which make typing in Chinese possible. To enable the input of Chinese characters, a writer will generally use a keyboard app with an “Input Method Editor” (IME).
Almost all keyboard apps used by Chinese people around the globe share a security vulnerability that can be exploited to to detect what users are typing, researchers at the Citizen Lab, a technology and security research lab affiliated with the University of Toronto, have found.
Acvording to Citizen Lab, the keystroke data that these apps send to the cloud to be intercepted, has existed for years and could have been exploited by cybercriminals and state surveillance groups.
“Our analysis revealed critical vulnerabilities in keyboard apps from eight out of the nine vendors in which we could exploit that vulnerability to completely reveal the contents of users’ keystrokes in transit,” a new report says, adding that “most of the vulnerable apps can be exploited by an entirely passive network eavesdropper”.
Combining the vulnerabilities discovered in this and our previous report analyzing Sogou’s keyboard apps, Citizen Lab estimates that up to one billion users are affected by these vulnerabilities. “Given the scope of these vulnerabilities and the ease with which these vulnerabilities may have been discovered, it is possible that such users’ keystrokes may have also been under mass surveillance,” the report says.
In their report, the researchers analyzed the security of cloud-based pinyin keyboard apps from nine vendors: Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi.
We examined these apps’ transmission of users’ keystrokes for vulnerabilities.
In eght out of the nine vendor, the researchers could exploit the vulnerability to completely reveal the contents of users’ keystrokes in transit, the only exception being a phone by Huawei.
Having the capability to read what users type on their devices is of interest to a number of actors — including government intelligence agencies that operate globally — because it may encompass exceptionally sensitive information about users and their contacts including financial information, login credentials such as usernames or passwords, and messages that are otherwise end-to-end encrypted.
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community’s icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
Why do these keyboards make web requests while you type?
As one user in this thread said, it might be a feature required by the CCP.
Keyboards for typing Chinese can work completely without Internet connection. There’s one in the F-Droid store: Guileless Bopomofo.
From the article:
Must have missed that, cheers
Yeah, no hate intended. Sometimes you can actually comment intelligently without reading the article at all.
Because the world has long since surpassed far beyond 1984 levels of spying on unsuspecting innocent civilians.
Essentially for predictive text: to make it easier to give good Chinese character suggestions when typing in Pinyin.