SMS delivery reports not only let the sender know about the message receipt, but can also leak the recipient’s location. This is what researchers have demonstrated in their recent study, showing how receiving a silent SMS message triggers a side-channel attack, letting the sender deduce the recipient’s location via message timings.
Retrieving Location Data Via SMS Delivery Reports
Researchers from different universities teamed up to devise a novel side-channel attack, exposing users’ location via SMS.
According to the details shared in their research paper, the attack method involves exploiting the SMS delivery reports. Using the stats obtained from these message timings, a sender can determine the recipient’s location across different countries with up to 96% accuracy.
About the attack
This attack primarily involves exploiting the GSMA network’s underlying weaknesses that drive the SMS message technology. Since it typically affects GSMA, this side-channel attack impacts almost all cellular networks across the globe.
SMS enticed the researchers for this study, given its popularity among the masses as a 2G communication method, despite the presence of 3G and 4G communication alternatives. The researchers observed that the inevitable SMS Delivery Reports generated upon receiving an SMS message trigger a timing-attack vector.
If a sender has enabled SMS Delivery Reports, knowing the timings of message delivery and calculating the time lapse during message sending and receiving can help the sender determine the recipient’s location. Since SMS Delivery Reports feature works beyond the recipient’s control, the recipient user cannot prevent the malicious use of this feature.
The technique basically leverages the timing signatures for a certain location. An adversary can collect various timing signatures by sending SMS messages to the target user at different timings and locations. Analyzing them later can let the sender deduce the receiver’s location.
Conducting this attack merely requires the adversary to know the target user’s mobile phone number. While tedious, a careful collection and analysis of these timing signatures can even empower the adversary to determine a previously unknown or new location of the target user. This works regardless of whether the user is in a domestic location or overseas. The time lapse between SMS sending and delivery can help here.
Attack Limitations And Countermeasures
While the researchers achieved much accuracy while performing this side-channel attack, it still has some limitations. That’s because numerous factors may impact the empirical measurements in a real-world exploit. Nonetheless, the yet-achievable >90% accuracy, even in a closed-world scenario, still poses a privacy threat.
Regarding the countermeasures, the researchers explained that the existing countermeasures to prevent related attacks do not apply on this novel side-channel attack. To tackle UE processing delays, possible countermeasures include not sending Delivery Reports or manipulating them with a random delay.
As for the network-based delays, altering SMS timings, deploying spamming filters on the core network, or at least disabling silent messages can help minimize the potentialities of such attacks. Nonetheless, disabling the delivery reports feature can be the only viable countermeasure.
Before making this study public, the researchers responsibly disclosed the matter to the GSMA. In turn, GSMA acknowledged their findings (identified as CVD-2023-0072) and considered numerous countermeasures.
Let us know your thoughts in the comments.
