In this report, we examine cloud-based pinyin keyboard apps from nine vendors (Baidu, Honor, Huawei, iFlyTek, OPPO, Samsung, Tencent, Vivo, and Xiaomi) for vulnerabilities in how the apps transmit user keystrokes. Our analysis found that eight of the nine apps identified contained vulnerabilities that could be exploited to completely reveal the contents of users’ keystrokes in transit. We estimate that up to one billion users could be vulnerable to having all of their keystrokes intercepted, constituting a tremendous risk to user security.
  • @GenderNeutralBro@lemmy.sdf.orgEnglish
    612 days ago

    Naomi Wu, AKA Sexy Cyborg, talked about how this vulnerability could leak chats in secure messaging apps last year. It got her a visit by the Chinese police and she can no longer post videos online.

    See: https://www.hackingbutlegal.com/p/naomi-wu-and-the-silence-that-speaks-volumes

    “Ok for those of you that haven’t figured it out I got my wings clipped and they weren’t gentle about it- so there’s not going to be much posting on social media anymore and only on very specific subjects. I can leave but Kaidi can’t so we’re just going to follow the new rules and that’s that. Nothing personal if I don’t like and reply like I used to. I’ll be focusing on the store and the occasional video. Thanks for understanding, it was fun while it lasted.” –@RealSexyCyborg, July 7, 2023

  • @jol@discuss.tchncs.deEnglish
    514 days ago

    That’s why I keep my keyboard gagged behind a no-network order. My keyboard has no business being online.

  • @ozymandias117@lemmy.worldEnglish
    514 days ago

    Are the on-device pinyin keyboards unusably bad at typing?

    I know it’s complex to get the right meaning with the English alphabet, but I’m surprised at cloud-based keyboards

  • Dark ArcEnglish
    214 days ago

    So does this affect English/European keyboards or just Asian keyboards?

    It seems like the mechanism is exploiting an insecure connection (or rather a connection using predictable encryption where the same input results in the same packets) to the cloud for translating keystrokes into logographic characters?

    Did I understand correctly? I definitely didn’t do a thorough read.

    I also think it’s kind of interesting Gboard wasn’t included (?)

    • Carighan MaconarEnglish
      214 days ago

      It’s about using a cloud-based model to better predict the next keystroke.

      Think of the next-word-prediction of the likes of GBoard or SwiftKey, but for just strokes/characters. There’s a local model, but it’s limited in depth and complexity, and then a cloud based one, that can do more but as shown here has security flaws.

      • Dark ArcEnglish
        113 days ago

        Well, it can’t just be about that. There are ways to salt the data so that it’s not predictable. I’m not an expert in that area, but I know it’s a technique that’s often employed by cryptography experts when this is a major concern.

    • lemmyreaderOPEnglish
      114 days ago

      I also think it’s kind of interesting Gboard wasn’t included (?)

      Indeed. But given it’s Google I would not be surprised if Gboard has keylogger features.

      • Dark ArcEnglish
        213 days ago

        I think that would be far too large of a liability for Google for the minimal amount of data they’d get back.

        Google mostly cares about metadata for their advertising business (per my understanding).