this post was submitted on 23 Apr 2024
128 points (98.5% liked)

Privacy

31273 readers
1022 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
128
The not-so-silent type: Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers - The Citizen Lab (citizenlab.ca)
submitted 5 months ago by [email protected] to c/[email protected]
14 comments fedilink hide all child comments
top 14 comments
sorted by: hot top controversial new old
[–] [email protected] 39 points 5 months ago (3 children)

TLDR:

This study mainly targets Pinyin input, the most popular Chinese input method (hence 1bn potentially affected).

Vulnerabilities were due to the keyboards’ use of the cloud for dictionaries used in IMEs (essentially a conversion engine). Such IMEs are must-haves for certain languages and converts A-Zs to other scripts. Lack of E2EE resulted in exposed keystrokes.

Personally I would recommend switching to something which uses a local dictionary. RIME is a good FOSS alternative and can be configured to work on Android via fcitx.

While the study doesn't cover English keyboards, this is as good a reminder as any not to use in-built dictionaries in general unless you have to.

[–] [email protected] 4 points 5 months ago

If you are in China you also have to be very worried about the Chinese government. This is just one out of hundreds of other tools they have to detect disloyalty

[–] [email protected] 3 points 5 months ago

Thanks for the tl;dr and suggestions.

[–] [email protected] 2 points 5 months ago

Thank you :)

[–] [email protected] 21 points 5 months ago (1 children)

A billion vulnerable users is wild. I'm sure there are government entities taking advantage of this already

[–] [email protected] 18 points 5 months ago (2 children)

Oh yes, one example is Naomi Wu.

[–] [email protected] 10 points 5 months ago

Damn, I didn't know what had happened to her. I really liked her content.

[–] [email protected] 5 points 5 months ago* (last edited 5 months ago) (1 children)

Yeah and didn't she work with Citizen Lab in the past about this? I'm wondering what's new here.

[–] [email protected] 2 points 4 months ago

What's new is that apparently "We reported these vulnerabilities to all nine vendors. Most vendors responded, took the issue seriously, and fixed the reported vulnerabilities, although some keyboard apps remain vulnerable."

[–] [email protected] 16 points 5 months ago (1 children)

I usually recommend FOSS keyboards, seems to be the safer bet

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago) (1 children)

And with a firewall that blocks them from internet access

[–] [email protected] 6 points 5 months ago

They shouldn't need internet access

[–] [email protected] 10 points 5 months ago

This report is not about how operators of cloud-based IMEs read users’ keystrokes, which is a phenomenon that has already been extensively studied and documented. This report is primarily concerned with the issue of protecting this sensitive data from network eavesdroppers.

So basically, even after these vulns are fixed, the attacker can just NSL the cloud providers and, boom, surveillance slurping continues.

[–] [email protected] 5 points 5 months ago

Swype is not listed in this document.

I didn't read far enough to see if it only affected pinyin (Chinese) cloud features or all languages.