If you’re a Threema user, you’re probably aware it’s a secure messaging app that uses end-to-end encryption (E2EE) by default to ensure that only you and your intended recipient can read your messages. And that’s a valid claim. Because E2EE is the default in Threema, nobody, aside from the person you’re messaging, will be able to read your messages – not even Threema itself.
But what about other types of data, like your location?
As it turns out, researchers have recently discovered a way to deduce your location with a high probability of accuracy, despite Threema’s end-to-end encryption.
This post will expose how the above scheme works and provide some tips for mitigation.
A surprising way of exposing location data
Security researchers discovered a way to get the location of Threema users with roughly 80% accuracy via a specially-crafted timing attack. The attackers measure the time it takes for their target to receive their messages based on the timing of the delivery notification sent back to them from the target device.
Mobile networks and instant messaging server infrastructure’s characteristics determine the signal pathways – the path the message will take for delivery. These signal pathways create predictable delays in delivery according to the target’s location. And do note that the operating system of the device running Threema is irrelevant; all of them are vulnerable to this timing attack.
Let’s unpack that a bit.
The above means that if I send you a message and time how long it takes for me to receive the message’s delivery notification – not the read notification – that timing represents the distance the message needs to travel to reach your device.
The timing must be extremely precise, of course, to have any value. But that’s easily achieved by running a packet capture application like Wireshark. To deduce locations from the timing data, the attackers will first need to establish a baseline. So the attackers must start by sending the target a message when they’re at a known location. Attackers message the target when they know the target is at work and note the timing of the delivery notification. Then they repeat those steps when they know the target is at home, the cinema, their parents’ place, etc.
That’s the calibration data. Once they have it, the attackers are then able to locate their target simply by measuring the timing of the notifications and referencing that timing to one of the locations in the calibration data.
As Sven Taylor from Restore Privacy, a digital privacy advocacy group, stated, “By measuring these delays in a preparatory work stage, like sending messages when the target’s location is known, an attacker could figure out where the message recipient is located at any time in the future by simply sending them a new message and measuring the time taken for the delivery status notifications to arrive.”
Hence, this timing attack could be used to locate the target’s country or city, regardless of whether they are connected to WiFi or mobile internet.
Say the attackers run through enough tests to create an extensive dataset against a target. With that calibration data, they could deduce their target’s location among a set of possibilities within a city, like “home,” “office,” “gym,” etc., based on nothing else but the timing of delivery notifications.
The harms of location tracking
It’s somewhat dumbfounding that an app that’s supposed to be private and secure would be vulnerable to a timing attack such as this. But other than providing users with a false sense of privacy and security, there are a number of harms that can result from sharing your location information, voluntarily or not.
Disclosing your location data opens you up to all sorts of potential harms. Geolocation data is extremely intimate data that reveals quite a bit about our lives. There’s a reason data brokers consider location data to be some of the most valuable information they can get their hands on.
Some of the harms include:
- Theft and identity theft
- Domestic abuse
The above list is just a sliver of what could happen. If a bad actor can follow your movements over time, you’re vulnerable to all sorts of harm.
The good news is that it’s not as easy as it sounds
This attack can’t be pulled off just by sending the target a message and staring at your phone with a stopwatch to measure how long it takes for you to receive the target’s delivery notification.
As Restore Privacy states, “For the timing attack to work, the adversary needs to use a smartphone for sending the messages and a packet capture application like Wireshark to analyze their own TCP traffic and extract the timing information. The attacker and the victim must know each other and must have engaged in previous conversations on the IM app, which is a requirement for both the attack and the preparatory work.”
That means that the attackers can only mount the attack against targets they already know and have messaged before. And they’re going to have to perform network traffic analysis to find out which packets are part of the delivered status notifications. These packets have a fixed size or structure pattern that allows their identification.
Once these packets are found, the attackers classify the various locations and match them to the round-trip times that are correlated to the target’s locations by referencing them against the calibration data.
How can we mitigate this?
The ways to mitigate this attack will depend on whether you’re server-side (Threema developers) or client-side (Threema users).
While testing out this timing attack, the researchers noticed that in some cases the phones would be idle when receiving messages. That would further delay the delivery notifications, making the timing data unusable. And that set off a lightbulb in the researchers’ heads.
A good way for the developers to mitigate this issue would be to randomize the timing of delivery notifications. The researchers state that anything between 1 and 20 seconds should foil this timing attack while still making delivery notifications useful to users.
Disabling location service on your device won’t help mitigate the attack because this is a timing attack. The attackers aren’t “collecting” your location information sent by your phone via some API. They’re deducing it based on the timing of your device’s delivery notifications. But there are still a couple of things we can do to steer clear of this timing attack.
Threema users can disable the delivery notification feature within the app by disabling “Read Receipts”.
Disabling read receipts in iOS
Here’s how to disable Threema read receipts on iOS:
- Open Threema.
- Select the Settings gear icon at the bottom right.
- Select Privacy.
- Toggle the Read Receipts switch to the Off position.
Disabling read receipts in Android
Here’s how to disable Threema read receipts on Android:
- Open Threema.
- Tap the three dots menu at the top right of the app. A menu is displayed.
- Select Settings.
- Select Privacy.
- Untick the Send read receipts box.
Use a VPN
Another way for Threema users to mitigate this timing attack would be to use a VPN. Using a VPN inevitably adds extra latency to your device’s connection. And that extra latency will be enough to neuter this attack as the timing won’t line up. Additional tips while using a VPN would be:
- Connect to a VPN server that’s relatively far from your actual physical location to make sure you’re adding enough latency to offset the timing of delivery notifications.
- Switch VPN servers now and then to add further randomness to the timing data. A multi-hop VPN would be a good solution as it will do this for you.
WANT TO TRY THE TOP VPN RISK FREE?
NordVPN is offering a fully-featured risk-free 30-day trial if you sign up at this page. You can use the VPN rated #1 for online safety and privacy with no restrictions for a month.
There are no hidden terms—just contact support within 30 days if you decide NordVPN isn't right for you and you'll get a full refund. Start your NordVPN trial here.
So, that is how Threema is vulnerable to a timing attack that can reveal your location. The good news is that there are some workarounds to mitigate this attack until the developers update the app and integrate random timing delays in the notification delivery system.
As if we needed more proof that cybersecurity is a never-ending game of whack-a-mole. Apps and services are only secure until they aren’t.
As always, stay safe.