If you use Signal, you probably know it’s considered one of the most secure messaging apps available. It uses end-to-end encryption (E2EE) by default to ensure that only you and your intended recipient can read your messages. And that’s a valid claim. With E2EE, nobody, aside from you and your intended recipient, will be able to read your messages – not even the folks over at Signal can read them.
But what about other types of data, like location data? Researchers have recently discovered a way to deduce your location with impressive accuracy, despite Signal’s end-to-end encryption. This post exposes how the above scheme works and provides some tips to help you avoid it.
Surprise, your location data is exposed
A group of security researchers discovered a method to deduce the location of Signal users with an accuracy of roughly 82% using a specially-crafted timing attack. In this scheme, attackers measure the time it takes the target to receive their messages based on the timing of the delivery notification that the target’s device sends back to them.
Both mobile networks and instant messaging server infrastructure have fixed characteristics that determine the message’s path for delivery (i.e., the signal pathway). These signal pathways generate predictable delays in the delivery times depending on the target’s location. And regardless of which device is running Signal (smartphone, tablet, or desktop), they’re all vulnerable to this attack. The operating system is irrelevant.
Let’s unpack that.
What the above means is that were I to send you a message and time how long it takes for me to receive the message’s delivery notification – not the read notification – that timing correlates to the distance the message needs to travel to reach your device.
The timing has to be very precise to have any value. But that precision can easily be achieved by running a packet capture application like Wireshark. The attackers need an established baseline to infer locations from the timing data. To do that, they start by sending the target a message when they know where they are. So attackers message their target when they know they’re at work and measure the timing of the delivery notification. They then repeat the above steps when they know the target is at other locations (home, the cinema, their parents’ place, etc.).
Now that the attackers have the calibration data, they can locate their target when they don’t already know their location. They simply measure the timing of the notifications and reference that timing against one of the known locations within the calibration data.
So this timing attack could be used to locate the target’s country or city, whether connected to WiFi or mobile internet. And suppose the attackers create an extensive calibration dataset against a target. With that calibration data, they could easily infer their target’s location among the various possibilities within a city, like “home,” “office,” “gym,” etc. All based on nothing else but the timing of delivery notifications.
The harms of location tracking
It can be gut-wrenching to find out that an app that’s meant to be the gold standard of private and secure messaging would be vulnerable to this timing attack. But providing users with a false sense of privacy and security is just part of the picture. Various harms can result from sharing your location information, whether willingly or unknowingly.
Providing access to your location data makes you vulnerable to all sorts of harm. Geolocation data is uniquely intimate data that reveals much about our daily lives. It isn’t for nothing that data brokers consider location data to be some of the most valuable information in their databases.
Some of these harms include:
- Stalking
- Theft
- Domestic abuse
- Blackmail
- Discrimination
- Manipulation
The above list is just a tiny sample of what could happen. If someone with nefarious intent can follow your movements over time, you’re leaving the door open for all sorts of nasty things to come in.
This attack is not as easy as it sounds
Thankfully, to pull off this attack, the perpetrator will need to do more than just send the target a message and stare at their phone to measure how long it takes them to get the target’s delivery notification.
For starters, it’s worth noting that this attack cannot occur between complete strangers. The perpetrator must know the victim to a certain extent, as they must have previously messaged each other on WhatsApp in order for the attack to work.
Then the attacker must use Wireshark – or a similar packet capture application – to perform network traffic analysis to figure out which packets are part of the delivered status notifications. These packets can be identified by their size or their structure pattern.
Once the notification packets are identified, the attackers will classify the list of locations. They’ll then correlate them to measured round-trip times that have been matched to the target’s locations by referencing them against the calibration data.
How can we prevent this attack?
How you can prevent this attack depends on whether you’re server-side (Signal developers) or client-side (Signal users).
Server-side defenses
In testing this timing attack, the researchers noticed something revealing. In some cases, the phones would idle before receiving messages. Because of that, the delay in delivery notifications was skewed, effectively voiding the timing data. And that observation led to the first mitigation method: randomizing the timing of delivery notifications within the app. The researchers state that adding a delay between 1 and 20 seconds should thwart this timing attack while maintaining the usefulness of delivery notifications.
Client-side defenses
Unfortunately, disabling location service on your device will be no help because this is a timing attack. The attackers aren’t “collecting” your location information sent by your phone using an API. They’re inferring it according to the timing of your device’s delivery notifications.
There’s still something we can do to potentially prevent this timing attack: use a VPN with Signal
One way Signal users can mitigate this attack is by using a VPN, we particularly recommend NordVPN.
VPNs invariably add latency to your device’s connection. And that “bonus” latency should be enough to protect you from this attack because the timing will be out of whack relative to the attacker’s calibration data. Other tips while using a VPN would be:
- Connect to a VPN server that’s far away from your physical location. This is to make sure you’re adding enough latency to offset the timing of your delivery notifications.
- Try regularly switching VPN servers to add a bit more randomness to the timing data.
WANT TO TRY THE TOP VPN FOR SIGNAL RISK FREE?
NordVPN is offering a fully-featured risk-free 30-day trial if you sign up on this page. You can use the VPN rated #1 for Signal with no restrictions for a month—great if you want to test out the service before making a long-term commitment.
There are no hidden terms—just contact support within 30 days if you decide NordVPN isn't right for you, and you'll get a full refund. Start your NordVPN trial here.
Conclusion
So that’s how a timing attack can be used to reveal your location when using Signal. It’s pretty nasty. But at least we have a workaround to reduce the risk of the attack until the developers hopefully integrate random timing delays in their notification delivery system.
Remember, apps and services are only secure until they aren’t. The cat-and-mouse game of cybersecurity will never end, and the best way to stay safe is to stay informed.
