Three billion WhatsApp users are at risk - an expert has developed a tool that could spy on everyone, and you would never know about it
I’ve read the article - but what can an attacker actually DO using this technique? Drain battery? The article mentions ‘tracking’, but in what way?
I guess that it could also be used to compare different people. Do they have fast and slow connections at about the same time? Then they might be spending time together.
This is clearly not for mass espionage, but at least a theoretical approach to confirm a suspicion.
It could be for mass espionage just by retaining metadata in a database and running continual analysis of it.
Then you’d start to see oatters and associations, so you know where to dig deeper.
If you want “mass surveillance” with thousands of suspects, millions of requests per subject (the paper mentions 20 requests per second IIRC), over weeks … you probably get blocked and/or caught.
Also, your suspects will be “significantly unhappy” if your espionage costs them 11-18% of their battery per hour. Even without other usage, the battery would be dead by noon.
And lastly, this attack uses so much bandwidth that video streaming is impacted. I would guess that it probably needs about 1 MBit, which is 11 GB per 24 hours.
The article states patterns could be drawn from response times. Fast response times could indicate a high-availability, low-latency network (such as being at home), where longer response times could indicate the phone is away from that network, whether on the road or at a store or business, etc.
Bit too much FUD here.
Traditional antivirus software does not detect protocol-level misuse.
I don’t think it ever did… you’d be looking for a (N)IDS for that function
I don’t use either application, but I suspect that most of this theory could be used on Jabber clients too…
It’s a novel way to do recon, but you’d already need to know much more about a target to be able to use the data.
But… good to know about.
My phone has the exact symptoms described in this article… I don’t like this…
You can mitigate (but not entirely stop the technique) by WhatsApp Settings, select Privacy, go to Advanced, and enable “Block unknown account messages.” and also disabling read receipts.
You could also uninstall the app and see if your battery usage reduces, or check in your phone’s battery usage statistics for WhatsApp using a lot of it.
Battery draw? There are other explanations that are far more likely.
isnt whatapp owned by meta?
Shit… I can’t imagine anything that would prevent a service provider or government from doing this all the time to everyone.
A service provider has no reason to do this. They see you moving around all the time. They can likely determine your location as close as a few hundred meters.
It’s not just about location, you can figure out usage habits this way:
These response times vary depending on whether a phone is active, idle, offline, connected to WiFi, or using mobile data.
Stable and fast responses can suggest that a device is actively used at home, while slower or inconsistent timings may indicate movement or weaker connectivity.
Over extended periods, these patterns can reveal daily routines, sleep schedules, and travel behavior without accessing message content or contact lists.
With a baseline of your normal usage behavior, I can start to build prediction patterns for what you’ll do and when, and then start analyzing deviations from your normal usage. If I do this for an entire service network I can then start to link up people with similar behavior patterns and build relationship webs.
That kind of information would be relatively easy to sell to advertising businesses. For example, if I’m pushing ad notifications on personal devices (Amazon) then I might want to know what times of day a user is most likely to view and interact with my ad notification. That might be information I’d be willing to buy from a service provider.
The potential uses for such information get darker from there - things like government agencies tracking the behavior of critics and progressives and building relationship profiles for them.
Given the usage patterns and location tracking and credit card and banking records for a given individual, I can pretty much understand their entire life.
I suspect they already are doing this.
