Signal and WhatsApp encryption messages end-to-end, which means that they remain encrypted on the entire journey from broadcaster to recipient. This applies to the content. But other information can be harvested with a little effort; At the IT security fair DEFCON 2025, the Austrian security researchers Gabriel Gegriel Gegenhuber and Maximilian Günther presented their sidechannel and protocol attacks on Sunday (local time).
As can be seen, delivery confirmations reveal signals and WhatsApps about the end devices used and their condition. Delivery confirmations are not to be confused with reading confirmations that each user can switch off in the settings of his app. The delivery confirmations are essential for the service so that it does not endlessly struggle to deliver messages that have already been delivered.
The term (Round-Trip Time, RTT) The delivery confirmation allows more conclusions than the layperson. If it takes a long time, the device is offline. But fluctuations in the second range reveal the condition of the receiving device: the fastest way to do it is when the app is in the foreground, so it is probably used. It is slower when it is not in the foreground and even slower when the screen is out or the browser tab is inactive.
This scatter is also different depending on the end device model, connection method (LAN, WLAN or mobile radio) and condition (is currently on the phone or not). Not enough: the transmission of the confirmations is implemented differently for different device classes. However, the delivery confirmations for WhatsApp and signal of smartphone apps (Android, iOS) are transmitted individually, but in the desktop variants of the services in groups-and at WhatsApp for MacOS in the overthrown order.
Conclusions on whereabouts
Attackers can create databases through data from test series with their own devices in order to be able to compare data obtained later. At a glance, it could be said what devices are used under a WhatsApp or signal account and in what condition they are likely to be. This allows further conclusions to be drawn: If, for example, a certain desktop device or a certain browser instance is regularly online during office hours, can be concluded on the place of residence of the goal if the delivery confirmations are incorporated. Conversely, delivery confirmations from a desktopechner used only in the evening or at the weekend can be concluded on your stay at home.
The number of devices registered under an account is even easier to determine: The key servers of WhatsApp and Signal give continuous numbers, with 0 or 1 the “main device” shows. Higher numbers are additional devices, so that the attacker can also distinguish.
Secret flood of news
However, series of delivery confirmations are required for the gain in knowledge. A single measurement at most says whether the device is online. Wouldn’t the victim notice to be covered by an avalanche of messages? No, because it is possible to send specially structured messages to participants of WhatsApp and signal, which trigger delivery confirmations, but are not displayed on the end device. The researchers used alternative implementations of the applications.
So an attacker can send a long series of silent “pings” to a goal from which he only knows the phone number or the user name without noticing it. After all, the signal infrastructure has installed a limitation to a message every two seconds, and WhatsApp did not have any rate limiting. Observation is thus possible closely over long periods.
Discover more from Apple News
Subscribe to get the latest posts sent to your email.