If you use WhatsApp, you probably already know it’s marketed as a secure messaging app that uses end-to-end encryption (E2EE) to ensure only the intended recipient can read your messages. And that claim is valid. Because E2EE is enabled by default in WhatsApp, nobody, aside from the person you’re messaging, is able to read your messages – not even Meta (formerly Facebook, WhatsApp’s parent company).
But, unfortunately, that’s not the whole story. There are other types of data involved when using WhatsApp that are not so protected. For example, Security researchers recently discovered a way to infer your location with a high probability of accuracy, despite WhatsApp’s end-to-end encryption.
This post will expose how the above scheme works and explain how you can protect yourself while using the messaging service.
How your location data can be exposed on WhatsApp
Security researchers have discovered a way to obtain the location of WhatsApp users with close to 75% accuracy using a specific timing attack. The attackers will send their target a message and measure the time it takes to be received based on the delivery notification sent back to the attacker.
All operating systems and devices running WhatsApp are vulnerable to this timing attack. This is because the way mobile networks and instant messaging server infrastructure are configured determines the path the message will take for delivery. In other words, these signal pathways result in predictable delays in delivery according to the target’s location.
Let’s unpack that a little.
What the above means is that if I send you a message and time how long it takes for me to receive the message’s delivery notification – not the read notification – that timing equates to the distance the message needs to travel to reach your device.
Of course, the timing must be extremely precise to have any value. But that can easily be achieved by running a packet capture application like Wireshark. To infer locations from that timing data, the attackers will need to establish a baseline. That means the attackers must first message the target when they’re at known locations. So they send the target a message when they know they’re at work and note the timing of the delivery notification. They then repeat those steps when the target is at home, the gym, their parents’ place, etc.
Once they have this calibration data, the attackers will then be able to locate their target, even when they don’t already know their location, by measuring the timing of the notifications and matching that timing with one of the locations in the calibration data.
The researchers found that this timing attack could allow attackers to find the victim’s country, city, or district, regardless of whether they are connected to WiFi or LTE/5G.
The dangers of location tracking
It’s pretty jarring that an app that promotes itself as a secure and private messenger app would be vulnerable to this timing attack. But beyond providing its users with a false sense of privacy and security, a significant number of harms could result from disclosing your location information.
Sharing your location data voluntarily or involuntarily opens you up to all sorts of potential harm. Geolocation data is extremely revealing about our lives. That’s why data brokers consider location data to be some of the most valuable information they can collect.
Some possible risks include the following:
- Domestic abuse
And the list goes on. If an ill-intentioned individual can track your movements over time, you’re vulnerable to all sorts of harm. The above list is just a sliver of what could happen.
Thankfully, this attack is harder than it sounds
This attack isn’t achieved by simply sending the target a message and using a stopwatch to measure how long your phone takes to receive the delivery notification.
For starters, it’s worth noting that this attack cannot occur between complete strangers. The perpetrator must know the victim to a certain extent, as they must have previously messaged each other on WhatsApp in order for the attack to work.
Then the attacker must use Wireshark – or a similar packet capture application – to perform network traffic analysis to figure out which packets are part of the delivered status notifications. These packets can be identified by their size or their structure pattern.
Once the packets are identified, the attackers classify the various locations and attempt to match them to round-trip times correlated to the target’s locations by referencing the calibration data set.
How can you prevent your location being discovered?
The ways to mitigate this attack vary depending on whether you’re server-side (WhatsApp developers) or client-side (WhatsApp users).
As it turns out, while testing out this scheme, the team of researchers found that sometimes the phones would idle when receiving messages, affecting the timing of the delivery notices and neutering that specific attempt.
Hence, a good way for the developers to mitigate this issue would be to randomize the amount of time it takes for the sender to receive delivery confirmations. The researchers state that anything between 1 and 20 seconds should neuter this timing attack while maintaining the usefulness of delivery notifications.
Because this is a timing attack used to deduce your location, disabling location service on your device won’t help. Still, there is something you can do to steer clear of this timing attack: use a VPN with WhatsApp.
Using a VPN adds latency to your device’s connection. And that extra latency should be enough to obfuscate your location data and thwart this attack.
Additional tips while using a VPN would be:
- Connect to a VPN server that’s reasonably far from your actual physical location to ensure you’re getting enough added latency to blur the timing of delivery notifications.
- Periodically switch VPN servers to add more randomness to the timing data.
WANT TO TRY THE TOP VPN FOR WHATSAPP RISK FREE?
NordVPN is offering a fully-featured risk-free 30-day trial if you sign up on this page. You can use the VPN rated #1 for WhatsApp with no restrictions for a month—great if you want to test out the service before making a long-term commitment.
There are no hidden terms—just contact support within 30 days if you decide NordVPN isn't right for you, and you'll get a full refund. Start your NordVPN trial here.
So, that is how WhatsApp is vulnerable to a timing attack that can reveal your location. Thankfully there is a workaround you can use to neuter this attack vector until the developers plug the hole by integrating random timing delays in the notification delivery system.
It just goes to show that cybersecurity is a never-ending game of whack-a-mole. Apps and services are secure… until they aren’t.
As always, the best way to stay safe is to stay informed.