You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
***Threema:** Source of the Android client documents how delivery receipts are consolidated before they leave the device, explaining why the side channel has negligible bandwidth there.
48
+
***Turnkey PoCs:** public projects such as `device-activity-tracker` and `careless-whisper-python` already automate silent delete/reaction probes and RTT classification. Treat them as ready-made reconnaissance helpers rather than protocol references; the interesting part is that they confirm the attack is operationally simple once raw client access exists.
48
49
49
50
When custom tooling is unavailable, you can still trigger silent actions from WhatsApp Web or Signal Desktop and sniff the encrypted websocket/WebRTC channel, but raw APIs remove UI delays and allow invalid operations.
50
51
@@ -89,6 +90,17 @@ When custom tooling is unavailable, you can still trigger silent actions from Wh
89
90
2. Build simple classifiers (thresholding or two-cluster k-means) that label each RTT as "active" or "idle". Aggregate labels into streaks to derive bedtimes, commutes, work hours, or when the desktop companion is active.
90
91
3. Correlate simultaneous probes towards every device to see when users switch from mobile to desktop, when companions go offline, and whether the app is rate limited by push vs persistent socket.
91
92
93
+
## Location inference from delivery RTT
94
+
95
+
The same timing primitive can be repurposed to infer where the recipient is, not just whether they are active. The `Hope of Delivery` work showed that training on RTT distributions for known receiver locations lets an attacker later classify the victim's location from delivery confirmations alone:
96
+
97
+
* Build a baseline for the same target while they are in several known places (home, office, campus, country A vs country B, etc.).
98
+
* For each location, collect many normal message RTTs and extract simple features such as median, variance, or percentile buckets.
99
+
* During the real attack, compare the new probe series against the trained clusters. The paper reports that even locations within the same city can often be separated, with `>80%` accuracy in a 3-location setting.
100
+
* This works best when the attacker controls the sender environment and probes under similar network conditions, because the measured path includes the recipient access network, wake-up latency, and messenger infrastructure.
101
+
102
+
Unlike the silent reaction/edit/delete attacks above, location inference does not require invalid message IDs or stealthy state-changing packets. Plain messages with normal delivery confirmations are enough, so the tradeoff is lower stealth but wider applicability across messengers.
103
+
92
104
## Stealthy resource exhaustion
93
105
94
106
Because every silent probe must be decrypted and acknowledged, continuously sending reaction toggles, invalid edits, or delete-for-everyone packets creates an application-layer DoS:
@@ -100,9 +112,11 @@ Because every silent probe must be decrypted and acknowledged, continuously send
100
112
## References
101
113
102
114
-[Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers](https://arxiv.org/html/2411.11194v4)
115
+
-[Hope of Delivery: Extracting User Locations From Mobile Instant Messengers](https://www.ndss-symposium.org/wp-content/uploads/2023-188-paper.pdf)
0 commit comments