WhatsApp less threatened by newly discovered vulnerability than Signal
Popular instant messaging apps can expose user location, reports digital privacy advocacy group RestorePrivacy.
A team of researchers has discovered that WhatsApp, Signal, and Threema have a vulnerability that can be exploited by cybercriminals to determine the location of a user with an accuracy of more than 80 percent.
Delivery status notifications can tip off your location
People with ill motives can carry out something called a timing attack whereby an adversary tries to infer the location of a user by measuring the time it takes for their message to get delivered. They rely on the message delivery status for this critical piece of information.
This can work well because internet networks and messaging app server infrastructure have specific physical characteristics that lead to standard signal pathways. As a result, the delivery status notifications have predictable delays based on the location of a user.
An attacker can measure these delays to figure out a recipient’s country, city, or district and can even find out whether they are using WiFi or mobile internet.
For more precise locations, an attacker can conduct this exercise multiple times and prepare a dataset to work out the location among a set of different possible places such as the victim's house, office, and gym.
For this attack to work, the attacker and the target must know each other and must already have previously engaged in a conversation.
WhatsApp is used by 2 billion people around the world and although Signal and Threema have a smaller user base, with 40 million and 10 million users, respectively, they bill themselves as privacy-focused, safe, and secure apps, so these findings are more alarming for the users of these two apps.
In fact, Signal and Threema seem more susceptible to these attacks in the sense that the timing attack can be used to infer the location of Signal users with an accuracy of 82 percent and of Threema users with an accuracy of 80 percent. For WhatsApp, this number stands at 74 percent and although that's also worrying, we would have expected the gap to be larger.
The report seems to imply that both iOS and Android users are equally vulnerable.
How to foil the timing attack
The researchers have discovered that the attack will likely not work with devices that are idling when a message is received. So they have proposed that developers show randomized delivery confirmation times to senders. If the timing is off by 1 to 20 seconds, it would make the timing attack useless without impacting the practical usefulness of delivery notifications.
Users worried about location privacy can try disabling the delivery notification feature, if supported by their app of choice. Also, assuming that the app is not set to bypass a VPN (virtual private network), users can use a VPN to increase latency or delay.
RestorePrivacy reached out to the maker of the apps in question and got the following response from Threema: