A team of researchers from Restore Privacy discovered that popular chat apps such as WhatsApp, Signal and Threema contain a vulnerability that hackers can exploit to determine a user’s location with more than 80% accuracy.
This particular act of location detection is called a timing attack. The attacker tries to infer the user’s location by measuring the time it takes for the message to arrive. This information relies on the delivery status of the message. iOS and Android users are equally vulnerable.
This can work well because Internet networks and messaging application server infrastructure have specific physical characteristics that lead to standard signal paths. As a result, delivery status notifications have predictable delays based on the user’s location.
For more precise locations, the attacker can do this multiple times and prepare a data set to determine the area among possible regions, such as the victim’s home, work, etc. For this attack to work, there must be at least a short conversation between the attacker and the victim on one of these chat applications.
Signal and Threema, which present themselves as privacy and security-focused apps, appear to be more vulnerable to these attacks because a timing attack can be used to infer the location of Signal users with 82% accuracy and Threema users with 80%. In the case of WhatsApp, this number is 74%.
The researchers found that the attack is unlikely to work on idle devices when the message is received. Therefore, they suggested that developers display random delivery confirmation times to senders. The timing attack would be unnecessary and not affect the practical utility of delivery notifications.
Users concerned about location privacy can try turning off the delivery notification feature or using a VPN to increase latency or delay.