Delivery status notifications can tip off your location
People with ill motives can carry out something called a timing attack whereby an adversary tries to infer the location of a user by measuring the time it takes for their message to get delivered. They rely on the message delivery status for this critical piece of information.
An attacker can measure these delays to figure out a recipient’s country, city, or district and can even find out whether they are using WiFi or mobile internet.
For this attack to work, the attacker and the target must know each other and must already have previously engaged in a conversation.
WhatsApp is used by 2 billion people around the world and although Signal and Threema have a smaller user base, with 40 million and 10 million users, respectively, they bill themselves as privacy-focused, safe, and secure apps, so these findings are more alarming for the users of these two apps.
In fact, Signal and Threema seem more susceptible to these attacks in the sense that the timing attack can be used to infer the location of Signal users with an accuracy of 82 percent and of Threema users with an accuracy of 80 percent. For WhatsApp, this number stands at 74 percent and although that’s also worrying, we would have expected the gap to be larger.
How to foil the timing attack
The researchers have discovered that the attack will likely not work with devices that are idling when a message is received. So they have proposed that developers show randomized delivery confirmation times to senders. If the timing is off by 1 to 20 seconds, it would make the timing attack useless without impacting the practical usefulness of delivery notifications.
Users worried about location privacy can try disabling the delivery notification feature, if supported by their app of choice. Also, assuming that the app is not set to bypass a VPN (virtual private network), users can use a VPN to increase latency or delay.
RestorePrivacy reached out to the maker of the apps in question and got the following response from Threema:
We have already considered different workarounds and conducted various tests, including ones where the client randomly delays delivery notifications slightly to render these kinds of timing analyses useless. (App updates containing this improvement should become available soon.)
Please note, however, that the practical exploitability of these timing analyses is debatable: Users typically don’t have their messenger app open all the time, and push notifications that wake up the app in the background already add a considerable delay of up to several seconds.