Exploiting Delivery Receipts: How Hackers Monitor WhatsApp and Signal Users
In a recent revelation, security experts have identified a significant privacy vulnerability, termed Careless Whisper, affecting popular messaging platforms WhatsApp and Signal. This flaw enables malicious actors to clandestinely monitor user activities by exploiting delivery receipts, all without the user’s knowledge or prior interaction.
Understanding the Careless Whisper Vulnerability
The core of this vulnerability lies in the manipulation of delivery receipts—notifications that confirm the delivery of a message. By sending specially crafted, invisible messages, such as reactions to nonexistent content or expired edits, attackers can trigger these receipts. The time it takes for these receipts to return, known as round-trip time (RTT), can inadvertently disclose the state of the recipient’s device.
Mechanism of Exploitation
Attackers can initiate this exploit using only the target’s phone number. By dispatching these stealthy messages, they can observe variations in RTT:
– Approximately one second when the target’s screen is active.
– Around two seconds when the screen is off.
– About 300 milliseconds if the app is running in the foreground on iPhones.
This method allows for continuous tracking of over three billion WhatsApp users and millions on Signal, potentially leading to routine surveillance or even battery depletion.
Amplified Precision Through High-Frequency Pings
Unlike previous overt methods that were limited by user notifications, this technique employs high-frequency pings—up to sub-second intervals on WhatsApp. This approach enhances the precision of monitoring without alerting the user, making it a more insidious threat.
Complications with Multi-Device Setups
The situation becomes more complex with users who have multiple devices connected to their accounts. Companion clients, such as web or desktop versions, respond separately to these stealthy messages. This independent response mechanism makes it challenging to detect online status changes, like when a desktop client starts up, potentially indicating the user’s arrival at an office.
Real-World Implications
In practical scenarios, researchers have demonstrated the ability to track a device’s network changes, such as switching between Wi-Fi and LTE, monitoring calls, and syncing with laptops across different networks. This level of surveillance can lead to inferences about a user’s daily schedule, screen time, and app usage patterns.
Comparative Analysis of Messaging Platforms
A comparative study of various messaging platforms reveals differing susceptibilities:
– WhatsApp: Allows stealthy monitoring from strangers, with independent receipts for each device.
– Signal: Similar to WhatsApp in terms of stealthy monitoring and independent receipts.
– Threema: Does not permit stealthy monitoring from strangers and uses synchronized receipts, making it less vulnerable to this type of exploitation.
Technical Insights: RTT Patterns and Device Fingerprinting
The RTT patterns can be used to fingerprint operating systems based on the order of receipt responses. For instance, Android and iOS devices exhibit different response orders, while macOS devices show a reversed stacked pattern. Additionally, variations in jitter can help distinguish between different chipsets, such as Qualcomm versus Exynos.
Potential for Battery Drain and Data Consumption
Beyond privacy concerns, this exploit can be used offensively to drain a device’s battery or consume data. By sending oversized reactions with payloads up to 1MB, attackers can induce data usage of 3.7MB per second, amounting to 13GB per hour. This can silently inflate data bills or drain batteries by 14-18% per hour on devices like iPhones and Samsungs. Notably, there are no rate limits in place to curb such sustained attacks.
Response from Platform Providers
The vulnerability was reported in September 2024. Meta, the parent company of WhatsApp, acknowledged the issue but, after 14 months, has yet to release a patch. Signal has not responded to the findings.
Recommendations for Mitigation
To address this vulnerability, researchers suggest several measures:
– Restricting Delivery Receipts: Limit the sending of delivery receipts to known contacts only.
– Introducing RTT Noise: Add random delays to RTT to obscure device state information.
– Client Validation of Message IDs: Ensure that message IDs are validated on the client side to prevent exploitation.
– Implementing Server Rate Limits: Set limits on the number of messages that can be sent in a given timeframe to prevent abuse.
As an interim defense, users are advised to adjust their privacy settings to limit messages from unknown contacts.
Conclusion
The Careless Whisper vulnerability underscores the need for continuous vigilance and proactive measures in the realm of digital communication. As messaging platforms become integral to daily life, ensuring their security is paramount to protect user privacy and prevent potential exploitation.
