"Delivery Confirmation in Messenger Apps Reveals Recipient's Location"
A security vulnerability in messenger services has been discovered by an international research team led by Dr. Theodor Schnitzler of TU Dortmund University. They discovered that measuring the time it takes for a message to be delivered makes it possible to distinguish different locations of a person in a user's contact list. Users of WhatsApp, Threema, and Signal are all familiar with the process of marking a message with a check mark after it has been sent. When the message is delivered to its intended recipient, a second check mark appears as confirmation. However, under certain conditions, the time between the first and second check marks appearing can be used to determine the location of the target cell phone. During a trip in Abu Dhabi, Dr. Schnitzler and his international colleagues noticed that a Messenger message sent to Germany took longer than usual to be marked as received with the second check mark. They connected a smartphone to laptop software that sent a message every ten seconds to recipient cell phones in Germany, the Netherlands, Greece, and the United Arab Emirates to study this phenomenon, and then analyzed the data traffic that occurred. The team discovered that the time it took for the delivery confirmation to arrive varied depending on the destination country. With this information, they were able to determine which of these countries the recipient device was located. They did this with an accuracy of 74 percent on Signal and WhatsApp and 84 percent on Threema. In a subsequent step, the researchers repeated the experiment on a local level, sending messages to smartphones in various cities and towns throughout the Ruhr region using the software. They were also able to determine the location of the recipient cell phone with an accuracy of more than 90 percent in some cases by measuring a characteristic delivery time based on location. It is also possible to read data very reliably to find out whether the receiving device is connected to a Wireless Local Area Network (WLAN) network or using mobile Internet. This article continues to discuss the security gap researchers found in WhatsApp, Threema, and Signal messenger services.