A team of researchers found that it is possible to locate WhatsApp, Signal and Threema messenger users with over 80% accuracy by launching a specially crafted timing attack.
Let me remind you that we also said that WhatsApp Messenger Developers Eliminated Two RCE Vulnerabilities at Once.The trick lies in the time it takes for the attacker to be notified of the delivery status of the victim’s message. These notifications have certain predictable delays depending on the position of the user.
Location of messenger infrastructure
These delays can be measured “at the initial stage” by sending a message when the target’s location is known. The attacker can then figure out where the recipient will be next time by simply sending them a new message and measuring the time it takes to receive notification of the delivery status.
The researchers analyzed in their technical paper that this timing attack can determine the recipient’s country, city, district, and even determine whether the recipient is connected to Wi-Fi or mobile Internet. For the attack, it is necessary that the cybercriminal and the victim already have a dialogue in the messenger.
For the timing attack to work, the attacker needs to use a smartphone to send messages and the packet capture application Wireshark to parse their own TCP traffic and extract time information.
Analyzing network traffic can help an attacker determine which packets are delivered notifications. In the applications tested by the researchers, these packets either have predetermined sizes or identifiable patterns of structure.
The attacker then needs to classify the various locations and match them to the measured round-trip times, and then attempt to match those pairs to the target’s location using a known set of data.
As a result of the tests, the location accuracy was:
- 82% for Signal;
- 80% for Threema;
- 74% for WhatsApp.
A reliable way for application developers to solve this problem is to introduce a system that randomizes the delivery confirmation time to the sender. Just 1 to 20 seconds will be enough to eliminate the possibility of this attack without breaking the delivery status notification functionality. Also, disabling delivery notifications will also solve this problem.
