Initial Disclosure Date: Dec 18, 2013
Last Update: Jan 16, 2014
Some of recent IMEs (Input Method Editor) have Sync Dictionary and Cloud Conversion functions to enhance typing efficiency and they require persistent Internet connection. Good examples are Baidu IME and Simeji. Simeji is a smartphone application to input Japanese, provided by Baidu. According to Baidu Japan Inc., the number of Baidu IME users was approximately two million in Japan as of January 2012. (footnote:1)
However, this also has two cybersecurity issues. First, when users have personal identifiable information or login credentials in their user dictionary, that sensitive information is saved on an external server unless they disable the Sync Dictionary function. Second, Cloud Conversion is similar to keylogger. Users send out all the information they type up. When they confirm their input, the name of the input application and their security identifier (SID) are also sent out. Baidu IME uses recommended setting to activate Cloud Conversion automatically when installed. (footnote:2)
The National Information Security Center (NISC) and Ministry of Education, Culture, Sports, Science and Technology sent out an alert to about 140 organizations including agencies, ministries, research institutes, and universities to stop using Baidu IME. According to Yomiuri Shimbun’s survey, at least twelve universities including the University of Tokyo use Baidu IME in some of their computers. Also, 23 prefectural governments and six municipal governments in Japan use 1,124 computers with Baidu IME in total. Although Ministry of Internal Affairs and Communications’ guideline requires local governments to obtain permission from their information security officer before they install free software, ISOs are the head of each office or department and they are not necessarily cybersecurity experts. Moreover, there is no information security system to check the security of embedded software in computers. (footnote:3)
In a press release dated December 26th, Baidu Japan Inc. acknowledged that Baidu IME and Simeji send users’ information to its servers and save the data for a while and explained that the company is keen to make their term easier to understand and assure users. The company released Simeji 6.6.2 on December 27 and a new version of Baidu IME in early January 2014. (footnote:4)
Sources:
日立システムズは、システムのコンサルティングから構築、導入、運用、そして保守まで、ITライフサイクルの全領域をカバーした真のワンストップサービスを提供します。