[German]Security researchers have identified a vulnerability that undermines the location data of users of WhatsApp, Signal and Threema. In a blog post, the security researchers present the results of the research and offer potential solutions to mitigate the attack vector. The operators of the messengers are investigating the problem, but Threema questions the practical exploitability in principle due to restrictions.
Advertising
An anonymous blog reader has posted a link to the blog post Timing Attacks on WhatsApp, Signal, and Threema can Reveal User Location from Sven Taylor (thanks for the hint).
Because mobile Internet networks and the server infrastructure of instant messenger apps have specific physical characteristics that result in standard signal paths, these notifications have predictable delays that depend on the user's location. The security researchers state that this makes it possible to determine the locations of users of popular instant messenger apps with more than 80% accuracy. This is possible via a specially developed timing attack. The trick involves measuring the time it takes for the attacker to receive notification of the delivery status of a message sent to the target.
Location data of Messenger users
The map above shows the locations of Messenger users that the security researchers were able to identify in this way. The approach is based on the fact that in a kind of preparatory work phase, the delays in sending messages sent to recipients whose location becomes known in advance are measured. In this way, the researchers obtained a kind of calibration network.
Following this, an attacker could find out where the recipient of the message is at any time in the future. To do so, he simply needs to send him a new message and measure the time taken for delivery status notifications.
Advertising
In their technical report, the security researchers (a group of researchers from TU Dortmund University, Ruhr-Universitat Bochum, Radboud University in the Netherlands, Northeastern University USA and New York University in Abu Dhabi) analyzed that this timing attack could work sufficiently well to locate the recipient's country, city and district, and even find out if he is connected to WiFi or mobile Internet.
h tests to build a rich data set against a target, they could infer their location from a set of possible locations in a city, such as "home," "office," "gym," etc., based solely on the delivery notification delay.
The method works for popular messengers WhatsApp, Signal and Threema, the security researchers write. For the timing attack to work, however, the attacker and victim must know each other and have previously conversed via the Messenger app. This is a prerequisite for both the attack and the preparations (so the risk is manageable). Then, location determinations are possible with the following hit rate:
- 82 % for Signal
- 80% for Threema
- 74 % for WhatsApp
The security researchers write that these results are alarming from a user privacy perspective, because the platforms, especially Signal and Threema, advertise that they are secure and private messengers that go beyond the security of other platforms.
However, during the analysis, the security researchers came across that these attacks can be leveraged. Some devices were found to be idle when receiving messages. This can distort the measurement results and is practically an albeit unreliable countermeasure. But randomly delaying delivery confirmation times for the sender between 1 to 20 seconds would be sufficient to make this timing attack impossible without affecting the practical usefulness of delivery status notifications.
If the app provides the option to disable the notification feature that informs the sender when the message has been received, this setting would also solve the problem decisively by eliminating the exploitable vulnerability. As a third option, users can also use a VPN (virtual private network) on mobile devices to increase latency and obfuscate location data. With the latter solution, however, there is a risk that the user's location can be determined via vulnerabilities in VPN services.
The three messenger services mentioned are investigating this attack vector and intend to comment on it in due course. Threema says that the delay time of 1 to 20 seconds is sufficient to let such attacks go nowhere. They have considered this and conducted tests, but point out that the practical usability of these time analyses is questionable. Most users usually do not have their Messenger app open all the time. The push notifications that wake up the app in the background to send the confirmation of receipt already cause a significant delay of up to several seconds.
