Location data could be exposed in WhatsApp, Signal and Threema

Researchers have discovered method to locate attackers using timing of messages sent and received


Tech Desk October 22, 2022
WhatsApp logo is seen in this illustration taken, August 22, 2022. PHOTO: REUTERS

Security researchers have discovered a 'surprising' method to expose location data on messaging apps like WhatsApp, Signal and Threema, otherwise considered secure. The tests conducted produced 80% reliability, despite using an imprecise method.

The method measures the time taken for the attacker to receive the message delivery status notification on a message sent to the target.

Mobile internet networks and IM app server infrastructure possess specific physical characteristics resulting in standard signal pathways that have predictable delays based on the user’s position. The precise timing can be achieved by checking the logs of a packet capture application like Wireshark.

The attacks can only be used against targets that attackers have information on, since the method will be precise on location data if they are in a location the attacker is familiar with according to their regular schedule.

The classification result showed accuracy rate of 82% for Signal targets, 80% for Threema and 74% for those using WhatsApp. If apps release privacy mitigation against this tactic by introducing randomization of timings with some degree.

"Anything from 1 to 20 seconds would be enough to render this timing attack impossible to carry out while not hurting the practical usefulness of the delivery status notifications," Restore Privacy reports.

COMMENTS (1)

03490408673 | 1 year ago | Reply zabas0907@gmail.com
Replying to X

Comments are moderated and generally will be posted if they are on-topic and not abusive.

For more information, please see our Comments FAQ