Users typing in Chinese using cloud apps from Baidu, Honor, iFlytek, Oppo, Samsung, Tencent, Vivo and Xiaomi should update their software immediately. Researchers have discovered serious encryption flaws in Pinyin input software that could compromise input data. Although exploitation details of the vulnerability have not yet been made public, the issue could potentially affect up to a billion users.
Image source: techspot.com
Chinese writing contains thousands of unique characters that cannot be accommodated on the keyboard, so alternative input methods (IME) are used for typing. All of the affected cloud tools used the Pinyin (literally, “phonetic writing”) system, in which users use the Roman alphabet to enter phonetic pronunciation and then select the appropriate characters from a set. Operating system vendors and third-party developers have been providing local alternative input methods to Chinese users for decades, but cloud services outpace local apps in terms of character detection accuracy.
Using any cloud-based typing app increases the risk of tracking, so developers ensure privacy through encryption. Researchers from the University of Toronto tested the security of applications from nine companies: Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo and Xiaomi, and during the experiment they successfully captured the keystrokes of all of these tools except the Huawei application.
The researchers found no flaws in the iOS apps because Apple automatically sandboxes keyboard apps and requires explicit user permission to access and transfer data. Similar tools for Android and Windows are considered much less secure. Android users can prevent the keyboard app from connecting to the Internet, but most users simply don't think about the potential risks, and it's not easy to find the appropriate controls in the settings.
Researchers have made all developers aware of the vulnerability, and most have already released updates to fix the problems, but encryption flaws still persist in Baidu apps, the Honor keyboard, and Tencent's QQ Pinyin service. The researchers listed dozens of similar apps that they didn't test, suggesting that most apps would have similar vulnerabilities.
The researchers expressed alarm, recalling previous episodes of government surveillance. For example, Five Eyes, an intelligence-sharing alliance between the US, UK, Canada, Australia and New Zealand, has previously exploited similar vulnerabilities in Chinese apps to spy on users.
If you notice an error, select it with the mouse and press CTRL+ENTER.
The post Chinese keyboard apps from Honor, Oppo, Samsung, Vivo and Xiaomi are vulnerable to surveillance appeared first on Aroged.