The massive scale of the problem is compounded by the fact that these vulnerabilities aren’t hard to exploit. “You don’t need huge supercomputers crunching numbers to crack this. You don’t need to collect terabytes of data to crack it,” says Knockel. “If you’re just a person who wants to target another person on your Wi-Fi, you could do that once you understand the vulnerability.”
The ease of exploiting the vulnerabilities and the huge payoff—knowing everything a person types, potentially including bank account passwords or confidential materials—suggest that it’s likely they have already been taken advantage of by hackers, the researchers say. But there’s no evidence of this, though state hackers working for Western governments targeted a similar loophole in a Chinese browser app in 2011.
Most of the loopholes found in this report are “so far behind modern best practices” that it’s very easy to decrypt what people are typing, says Jedidiah Crandall, an associate professor of security and cryptography at Arizona State University, who was consulted in the writing of this report. Because it doesn’t take much effort to decrypt the messages, this type of loophole can be a great target for large-scale surveillance of massive groups, he says.
After the researchers got in contact with companies that developed these keyboard apps, the majority of the loopholes were fixed. But a few companies have been unresponsive, and the vulnerability still exists in some apps and phones, including QQ Pinyin and Baidu, as well as in any keyboard app that hasn’t been updated to the latest version. Baidu, Tencent, iFlytek, and Samsung did not immediately reply to press inquiries sent by MIT Technology Review.
One potential cause of the loopholes’ ubiquity is that most of these keyboard apps were developed in the 2000s, before the TLS protocol was commonly adopted in software development. Even though the apps have been through numerous rounds of updates since then, inertia could have prevented developers from adopting a safer alternative.
The report points out that language barriers and different tech ecosystems prevent English- and Chinese-speaking security researchers from sharing information that could fix issues like this more quickly. For example, because Google’s Play store is blocked in China, most Chinese apps are not available in Google Play, where Western researchers often go for apps to analyze.
Sometimes all it takes is a little additional effort. After two emails about the issue to iFlytek were met with silence, the Citizen Lab researchers changed the email title to Chinese and added a one-line summary in Chinese to the English text. Just three days later, they received an email from iFlytek, saying that the problem had been resolved.