Security researchers discovered that iPhone hackers could expose WhatsApp, Signal, and Threema users’ locations with an accuracy of 80%, depending on the attack’s success. Here’s what you need to know about it.
The discovery was published by Restore Privacy. According to the publication, “the trick lies in measuring the time taken for the attacker to receive the message delivery status notification on a message sent to the target.”
Because mobile internet networks and IM app server infrastructure have specific physical characteristics that result in standard signal pathways, these notifications have predictable delays based on the user’s position.
By measuring these delays in a preparatory work stage, like sending messages when the target’s location is known, an attacker could figure out where the message recipient is located at any time in the future by simply sending them a new message and measuring the time taken for the delivery status notifications to arrive.
This timing attack can tell the recipient’s location by country, city, district, and if they are connected to Wi-Fi or cellular. According to security researchers, this flaw can be exploitable against the so-called secure messenger services such as Signal, Threema, and WhatsApp.
WhatsApp’s case is a bit more concerning, as the company recently released a global ad campaign promoting how secure the app is compared to the blue vs. green bubble battle concerning Apple and Android phone makers.
That said, from these three apps, the accuracy a hacker can have to identify a user’s location is 82% for Signal targets, 80% for Threema, and 74% for WhatsApp.
How to protect yourself from these attacks?
Restore Privacy says that apart from a VPN or “disabling the notification feature that informs the sender when the message was received,” these message services apps are responsible for taking action by, for example, randomizing the delivery confirmation times to the sender. The publication writes:
While performing the experiments, the researchers noticed that some devices were idling while receiving the messages, which can mess up the attack results and is practically an unreliable countermeasure.
(…) Anything from 1 to 20 seconds would be enough to render this timing attack impossible to carry out while not hurting the practical usefulness of the delivery status notifications.
The publication reached these companies, and two said they are investigating the situation. BGR will update the story once we hear more about it.