Key Takeaways
1. A security flaw in end-to-end encrypted messaging apps, particularly WhatsApp and Signal, has been discovered by scientists at the University of Vienna.
2. The flaw allows tracking of devices through Round-Trip Time (RTT) data using silent delivery receipts from messages.
3. A new tool on GitHub exploits this vulnerability to encourage WhatsApp to address the security issue and improve user privacy.
4. Accumulated RTT data can reveal user habits, device activity, and network types, potentially compromising privacy.
5. Current protections against this tracking are limited, with no alerts for users, no blocking options, and the only drastic measure being to uninstall affected messaging apps.
A team of scientists from the University of Vienna has discovered a small yet significant security flaw in end-to-end encrypted (E2EE) messaging applications. Their research, which came out on November 17, 2024, is titled “Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers.” It emphasizes how devices can be tracked using Round-Trip Time (RTT) data when applications like WhatsApp or Signal are used.
New Tool on GitHub
Recently, a new program has been made available on GitHub that can take advantage of this vulnerability in WhatsApp. Although the existence of such a tool raises ethical questions, its main aim is to encourage WhatsApp to fix the security issue and enhance user privacy.
The concept behind this tool is quite straightforward. The tracker dispatches reaction messages to fake message IDs. The target device still sends back a delivery receipt. This response, which the user cannot see, discloses the time needed to send and receive the altered request—the RTT.
Implications of RTT Data
Even though these data points do not immediately pinpoint a user’s location, they can be quite useful when accumulated over time. Patterns in the RTT data can show when a device is being actively used or is in standby. It may also reveal the type of network connection, whether it’s Wi-Fi or cellular. By examining these usage patterns over several hours or days, attackers could infer user habits. Moreover, the continuous requests drain the battery and mobile data of the targeted smartphone.
At present, users have very few ways to protect themselves against this tracking technique. There are no alerts on smartphones notifying users of such surveillance. The attacker’s phone number is not available, making it impossible to block them. Neither Signal nor WhatsApp currently provide an option to turn off delivery receipts. A drastic measure is the only choice available right now: uninstalling all affected end-to-end encrypted messaging apps from your device.
Device Activity Tracker on GitHub
The Device Activity Tracker by gommzystudio is now on GitHub. The research “Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers” is available via Arxiv.
Source:
Link