Freaky Leaky SMS: Extracting User Locations by Analyzing SMS Timings
arxiv.org
Short Message Service (SMS) remains one of the most popular communication channels since its introduction in 2G cellular networks. In this paper, we demonstrate that merely receiving silent SMS messages regularly opens a stealthy side-channel that allows other regular network users to infer the whereabouts of the SMS recipient. The core idea is that receiving an SMS inevitably generates Delivery Reports whose reception bestows a timing attack vector at the sender. We conducted experiments across various countries, operators, and devices to show that an attacker can deduce the location of an SMS recipient by analyzing timing measurements from typical receiver locations. Our results show that, after training an ML model, the SMS sender can accurately determine multiple locations of the recipient. For example, our model achieves up to 96% accuracy for locations across different countries, and 86% for two locations within Belgium. Due to the way cellular networks are designed, it is difficult to prevent Delivery Reports from being returned to the originator making it challenging to thwart this covert attack without making fundamental changes to the network architecture.

Evangelos Bitsikas, who is pursuing a PhD in cybersecurity at the Northwestern University in the US, applied a new machine-learning program to data gleaned from the SMS system of mobile devices.

Receiving an SMS inevitably generates Delivery Reports whose reception bestows a timing attack vector at the sender. Bitsikas developed an ML model enabling the SMS sender to determine the recipient’s location with a 96% accuracy for locations across different countries, the researcher says in a study.

The basic idea is that a hacker would send multiple text messages to the target phone, and the timing of each automated delivery reply creates a fingerprint of the target’s location. These fingerprints have ever been there but weren’t a problem until Bitsikas’ group used ML to develop an algorithm capable of reading them. They can be fed into the machine-learning model, which then responds with the predicted location.

According to the researcher, it doesn’t matter whether or not the communication is encrypted.

  • jet@hackertalks.comEnglish
    0·
    1 year ago

    This is another excellent reason to never give anyone at all your cell phone number. Give them a voice number, like Google voice, Google Fi, voip.ms. The number of people have should not be the number attached to the device you walk around with.

    Then if somebody wants to track you by your phone number they’ll have to go to the phone service who is not connected directly to your phone other than through the internet. And then they’ll have to track you through the internet. So it won’t be a data broker selling your location data enmass indexable by your known phone number.

    • honk@feddit.deEnglish
      0·
      1 year ago

      This type of attack theoretically also works with signal or telegram or whatever message service that works entirely without a phone number.

      • jet@hackertalks.comEnglish
        0·
        1 year ago

        I don’t think I understand the attack then. So a timing attack on Read receipts gives you approximate location how?

        I understood the SMS case because the tower data could then be extrapolated. But if we’re just talking about a standard internet application like signal. The read receipts are coming over the internet and not coming from Tower records.

        Or at least that’s my understanding. If I have a computer attached to some point on the internet. People could use ping timings to theoretically restrict the location but not very accurately right?

        • honk@feddit.de
          0·
          1 year ago

          You just measure the time until the delivery recipe arrives. You can approximate how far away the recipient is. Now you keep doing that while changing your own location (use vpns etc.) and you can slowly get a more accurate location of the target. Now you automate that stuff and also utilize machine learning to interpret the data.