Hope of Delivery: Extracting User Locations From Mobile Instant Messengers

10/19/2022
by   Theodor Schnitzler, et al.
0

Mobile instant messengers such as WhatsApp use delivery status notifications in order to inform users if a sent message has successfully reached its destination. This is useful and important information for the sender due to the often asynchronous use of the messenger service. However, as we demonstrate in this paper, this standard feature opens up a timing side channel with unexpected consequences for user location privacy. We investigate this threat conceptually and experimentally for three widely spread instant messengers. We validate that this information leak even exists in privacy-friendly messengers such as Signal and Threema. Our results show that, after a training phase, a messenger user can distinguish different locations of the message receiver. Our analyses involving multiple rounds of measurements and evaluations show that the timing side channel persists independent of distances between receiver locations – the attack works both for receivers in different countries as well as at small scale in one city. For instance, out of three locations within the same city, the sender can determine the correct one with more than 80 messenger users can secretly spy on each others' whereabouts when sending instant messages. As our countermeasure evaluation shows, messenger providers could effectively disable the timing side channel by randomly delaying delivery confirmations within the range of a few seconds. For users themselves, the threat is harder to prevent since there is no option to turn off delivery confirmations.

READ FULL TEXT

page 1

page 8

page 16

page 17

page 18

page 19

research
06/13/2023

Freaky Leaky SMS: Extracting User Locations by Analyzing SMS Timings

Short Message Service (SMS) remains one of the most popular communicatio...
research
10/17/2018

When Human cognitive modeling meets PINs: User-independent inter-keystroke timing attacks

This paper proposes the first user-independent inter-keystroke timing at...
research
04/28/2021

Topological Content Delivery with Feedback and Random Receiver Cache

We study the problem of content delivery in two-user interference channe...
research
11/14/2022

Buying Privacy: User Perceptions of Privacy Threats from Mobile Apps

As technology and technology companies have grown in power, ubiquity, an...
research
08/01/2022

On the Evaluation of User Privacy in Deep Neural Networks using Timing Side Channel

Recent Deep Learning (DL) advancements in solving complex real-world tas...
research
02/26/2023

Reclaiming Privacy and Performance over Centralized DNS

The Domain Name System (DNS) is both a key determinant of users' quality...
research
01/19/2023

The throughput in multi-channel (slotted) ALOHA: large deviations and analysis of bad events

We consider ALOHA and slotted ALOHA protocols as medium access rules for...

Please sign up or login with your details

Forgot password? Click here to reset