A team of researchers has found that it’s possible to infer the locations of users of popular instant messenger apps with an accuracy that surpasses 80% by launching a specially crafted timing attack.
The trick lies in measuring the time taken for the attacker to receive the message delivery status notification on a message sent to the target.
Because mobile internet networks and IM app server infrastructure have specific physical characteristics that result in standard signal pathways, these notifications have predictable delays based on the user’s position.
Mapping the infrastructure of popular IM apps
By measuring these delays in a preparatory work stage, like sending messages when the target’s location is known, an attacker could figure out where the message recipient is located at any time in the future by simply sending them a new message and measuring the time taken for the delivery status notifications to arrive.
As the researchers analyzed in their technical paper, this timing attack could work pretty well for locating the recipient’s country, city, district, and even if they are connected to WiFi or mobile internet.
If the attackers perform enough tests to formulate an extensive dataset against a target, they could infer their position among a set of given possible locations in a city, like “home”, “office”, “gym”, etc., based on nothing else but the delivery notification delay.
Experiment steps to perform the attack
These notifications are standard across many popular IM apps, and the researchers confirmed they are exploitable