A new study by security researchers has sent alarm bells ringing.
The study has talked about a unique means by which a user’s location data can be exposed through apps that are known to be so secure. This included the likes of WhatsApp and Signal.
While the researchers didn’t go into too much detail about the full method used to measure this, they claim their tests were 80% reliable. Also, it highlighted how it was now possible to find out a user’s location through popular texting apps. And today, actors launch the most specially curated attack that is time-specific.
This is also when they talked in detail about how long it took for any attacker to get message delivery status across the board on texts sent out to target audiences.
Today we are constantly facing increasing threats from all directions and seeing mobile networks offer internet and IM apps has meant that there is going to be some delay depending on where exactly you are located.
To put it simply, if a sender drops a text, they are going to time the duration for it to be received. There are several indicators for that. Therefore, the time indicates how far the message had traveled.
As you know, this kind of timing is going to be of high precision. But that can be easily accomplished by double-checking the details in logs on packet apps like Wireshark.
These types of attacks can be extremely limited across different apps, so they will be used against a small number of specific targets that you may be aware of. You will be forced to send out messages to contacts when a specific location of the user is known and then can observe the time it takes.
After such calibration data is completed, you will have the chance to find out its specific location by sending a message.
By analyzing a network’s traffic, attackers get a better estimate of which packets were delivered status notifications. And in the case of the apps assessed by the security experts, the packages were outlined as having predetermined sizes or even structures that could be identified by different patterns.
For the next step, attackers must classify different locations and then allow matching by enabling “round-trip” timing. Making an effort to correlate these things is the next step when you have a target location determined using this type of data.
In terms of how well the apps performed in such experiments, Whatsapp came third with 74%, followed by 80% for apps like Threema. Shockingly, Signal scored the highest for exposing users’ data at 82%.
Research teams argue that one of the best ways for users to maintain security and privacy is if apps used on a daily basis like these will add a level of randomness to the timings. Besides, it’s just another solid way to guarantee that such data isn’t leaked.
Developers were recommended to add systems that randomize confirmation times for message deliveries to senders. And by that they mean that a period of 1 to 20 seconds could be enough to predetermine that such attacks were not possible.
As of now, two of the three companies outlined were said to be involved in investigations related to the case.
But if you really want to protect yourself as best as possible, experts say it’s time to turn off notification alerts that inform the sender that a message was delivered in the first place. It only confirms when texts are delivered and when they are read. And in case you’re looking for an easier shortcut, well, just use a VPN as it introduces randomization
Read next: Hacked accounts can be bought for just $6 according to this report