Security researchers have found a surprising method for exposing location data in otherwise secure messaging apps WhatsApp, Signal, and Threema.
While the method sounds imprecise, tests showed that it provided greater than 80% reliability …
Restore Privacy reports.
A team of researchers has found that it’s possible to infer the locations of users of popular instant messenger apps with an accuracy that surpasses 80% by launching a specially crafted timing attack.
The trick lies in measuring the time taken for the attacker to receive the message delivery status notification on a message sent to the target.
Because mobile internet networks and IM app server infrastructure have specific physical characteristics that result in standard signal pathways, these notifications have predictable delays based on the user’s position.
In other words, I send you a message and then time how long it takes until I see the indicator that you have received (not read) the message. The timing will indicate the distance traveled by the message.
The timing, of course, needs to be very precise, but this is easily achieved by checking the logs of a packet capture application like Wireshark.
The attack is limited in its application, so can only really be used against specific targets about whom you have knowledge. It requires you to message a contact when they are in a known location (for example, when you know they are at home or at work, or another location they visit regularly) and note the timings for each.
Once you have this calibration data, you can then find out which location they are in, simply by sending them a message.
The network traffic analysis can help the attacker determine which packets are the delivered status notifications. In the apps tested by the researchers, these packets either have predetermined sizes or have identifiable structure patterns.
Next, the attacker needs to classify the different locations and match them to measured “round-trip” times, and then attempt to correlate these pairs with the target’s location using the known data set.
The resulting classification accuracy based on the researchers’ experiments was:
- 82% for Signal targets
- 80% for Threema
- 74% for those using WhatsApp
The research team said that the best privacy mitigation against this tactic would be for the messaging apps to introduce some degree of randomization into the timings.
A solid way for app developers to deal with this problem is to introduce a system that would randomize the delivery confirmation times to the sender.
Anything from 1 to 20 seconds would be enough to render this timing attack impossible to carry out while not hurting the practical usefulness of the delivery status notifications.
Two of the three companies (which were not specified) have said they are investigating the issue.
If you want to protect yourself, the obvious and easy method is to switch off the notification feature which tells senders when a message has been delivered, and when it has been read. If you don’t want to go that far, using a VPN will randomize the delivery timings, and periodically switching VPN servers would add further noise.
If you want to know more about the research, you can read the research paper here.
FTC: We use income earning auto affiliate links. More.
Comments