Hope of Delivery: Extracting User Locations From Mobile Instant Messengers

19 Sep 2023 - Katharina Kohls

Did you ever see one of the delivery status notifications in a mobile messenger? For example, WhatsApp uses a double-check to indicate that a message is sent out (one check) and arrived at the destination (second check). This is a handy little notification that shows you whether a message was delivered (or not if there are connectivity issues) and it provides some feedback about an otherwise asynchronous connection. Unfortunately, this little status message leaks important information about your connection! How does that happen? Well, to explain this we have to explain some basics first.

Whenever sending information through the Internet, it takes some time until the packet arrives at the destination. This is due to the fact that, although it travels very fast, information still has to be transmitted. The fastest connection you can get nowadays is a transmission through a fiber cable that operates at the speed of light. The speed of light is approximately 300,000km per second and we can use it as an upper bound. No matter how advanced your Internet connection is, you won’t transmit information faster than that. We can use this speed to translate a transmission time into a distance. Let’s say you send a message and it travels for 0.02s, then it can reach anything within the reach of 6000km when traveling at the speed of light. For comparison, that’s the distance between Bochum and New York. We can make use of this! By measuring how long it takes to receive the delivery status notification, we get an estimate of where the destination of our connection is. Following our Bochum-New York example it would take 0.04s to send the message (one way from Bochum to New York) and receive the delivery status (second way from New York to Bochum). To be fair, 0.04s could be anything in reach of 6000km but still, it’s a starting point!

We made use of this starting point and looked at different messengers, their infrastructures, and attacker models. The good news first: An attacker can’t just use this information and localize any person at any place. But it’s possible to learn where one of your contacts is, just from measuring the status notification. And this becomes possible by just sending a message to the target, which is nothing too conspicuous if it appears to be someone from the contact list: “While making use of this side channel is mostly limited to people who are in each others’ contact lists and have already started a conversation before, it yet comprises an unexpected and privacy-infringing act with very low technical requirements that is equally hard to detect and hard to mitigate for a potential victim.”

Source: [Link to orignal PDF]