With modern technology it is getting more and more easy to track someone. There are many apps, devices etc that allow a target to be tracked in near realtime by someone. This can be done using an App on your phone, find my phone functionality, family phone track etc etc. As someone who is worried about getting tracked they can disable GPS, get a new dumb phone that doesn’t support GPS etc which can mitigate the threat to a large extent. Unfortunately, now there is a new attack surface that allows an attacker to approximately locate a target with up to 96% accuracy.
Researchers have figured out how to deduce the location of an SMS recipient by analyzing timing measurements from typical receiver location. Basically they measure the time elapsed between sending a SMS and the receipt of the Delivery report and then use a ML model to predict the location area where the target could be located. The other advantage of this attack is that it doesn’t require any specialized equipment or access to restricted systems but can be executed via a simple smartphone.
Short Message Service (SMS) remains one of the most popular communication channels since its introduction in 2G cellular networks. In this paper, we demonstrate that merely receiving silent SMS messages regularly opens a stealthy side-channel that allows other regular network users to infer the whereabouts of the SMS recipient. The core idea is that receiving an SMS inevitably generates Delivery Reports whose reception bestows a timing attack vector at the sender. We conducted experiments across various countries, operators, and devices to show that an attacker can deduce the location of an SMS recipient by analyzing timing measurements from typical receiver locations. Our results show that, after training an ML model, the SMS sender can accurately determine multiple locations of the recipient. For example, our model achieves up to 96% accuracy for locations across different countries, and 86% for two locations within Belgium. Due to the way cellular networks are designed, it is difficult to prevent Delivery Reports from being returned to the originator making it challenging to thwart this covert attack without making fundamental changes to the network architecture.
The biggest problem with this method is that it doesn’t depend on any software or anything that needs to be installed on the target phone. You just need a phone that supports SMS, which is pretty much all phones in the market. There is an option to disable delivery reports which would mitigate the threat to an extent but is an opt-out setup rather than an opt-in. One way to reduce this vector would be for manufacturers to disable the delivery report by default and folks who need it can enable it from settings instead of the other way round which is the case right now.
Source: HackerNews: Freaky Leaky SMS: Extracting user locations by analyzing SMS timings
Full Paper: Freaky Leaky SMS: Extracting User Locations by Analyzing SMS Timings
– Suramya
