Messaging apps Signal, WhatsApp and Threema “convinced” by a hack to disclose users’ location

Signal, WhatsApp and Threema, which have become essential for circumventing censorship and mass surveillance in countries such as Russia and China, reportedly contain a vulnerability that allows the location of tracked individuals to be revealed.

Although it doesn’t seem precise, practical tests show that the accuracy of the coordinates thus obtained is more than 80%:

A team of researchers has found that the locations of users of popular instant messaging apps can be inferred with an accuracy exceeding 80% by initiating a specially designed synchronization attack.

The trick involves measuring the time it takes the attacker to receive notification of message delivery status on a message sent to the target.

Because mobile Internet networks and IM application server infrastructure have easily predictable physical characteristics resulting from communication modes and distances covered, the delays (lag) occurring on the route vary depending on the user’s location.

In other words, once you identify the server connected for message brokering, you can measure at the millisecond level the latencies occurring when receiving/sending messages on WhatsApp to extrapolate the approximate location (e.g. city level) of the chat participants. From there, you can narrow your search by identifying ISP providers, possibly down to the IP address level. And if you are a state actor with unlimited influence over the ISPs in your country, narrowing the search down to the building/hotel room level will not pose much of a problem.

Timing, of course, needs to be very precise, but this is easily accomplished by checking the logs of a packet-capturing application like Wireshark.

The attack is limited in its application, so it can only really be used against targets that are already closely monitored. The method also involves finding a justification for sending messages on WhatsApp to the selected target, for example, when the target is in a known location (home or work or another location they regularly visit), to note the latencies of the connection corresponding to that location.

Only after this calibration data is obtained can you move on to daily travel monitoring, without actually needing GPS coordinates, or other data to establish the location with certainty.

Although it is based on related details that are difficult to determine without daily tracking of the person under surveillance, the strategy still allows accurate tracking of locations used, at least as long as the target does not suspect that he or she is under surveillance and maintains a predictable pattern of daily activities.

The solution proposed by the security experts who discovered this vulnerability would be to introduce a random mechanism for selecting the servers used to make connections, which would prevent, or at least make it much more difficult to identify likely locations using connection lists. In the meantime, the “emergency” solution would be to use a VPN service, most of which already use algorithms designed to combat precisely this attack vector by randomly selecting connection nodes.