A recent study conducted by university researchers presents a fresh side-channel attack dubbed “Freaky Leaky SMS”. This attack technique exploits SMS delivery report timings to infer the location of the message recipient.

The mechanics behind the attack

SMS delivery reports are managed by the mobile network’s short message service center (SMSC). These reports indicate whether a message has been delivered, accepted, failed, undeliverable, expired, or rejected. Despite inherent delays due to routing, network node propagation, and processing, mobile networks’ fixed nature and distinct physical characteristics result in predictable timings when following standard signal pathways.

The team of researchers built a machine learning algorithm that scrutinizes these response timings, enabling it to deduce the recipient’s location. The accuracy of this deduction process was found to be as high as 96% for locations across different countries and up to 86% for two locations within the same country.

Preparing for the attack

An attacker looking to exploit this vulnerability would need to collect specific measurement data to establish firm correlations between the SMS delivery reports and the target’s known locations. This data collection phase involves the attacker sending numerous SMS to the target, either disguised as marketing messages or using “type 0” silent SMS messages which do not trigger notifications on the recipient’s device but are acknowledged by the SMSC.

The researchers conducted extensive tests, sending a barrage of silent SMS messages to various test devices across multiple countries and analyzing the timing of the SMS delivery reports.

Execution and results of the experiment

The research centered on “closed world” attack scenarios, referring to the classification of the target’s location among predefined ones. The model demonstrated high accuracy in differentiating between domestic and overseas locations, performing reasonably well even within the same region. However, the accuracy significantly depends on the location, operator, and conditions.

In “open world” scenarios where the target visits unknown locations, adapting the prediction model would be more complex, requiring the use of probability outputs, anomaly detection, and the inclusion of landmarks in the ML training dataset. The scale of such an attack would be considerably larger, extending beyond the current study’s scope.

The implications of this study

While the attack does demand extensive preparatory work and does not work perfectly under all circumstances, it does pose a potential privacy risk. The research paper’s co-author, Evangelos Bitsikas, informed BleepingComputer that the experiment considered them as baseline attackers, limited in resources, machine learning knowledge, and technical capacity. He noted that more sophisticated attackers could theoretically cause more damage, and potentially succeed in open-world scenarios.

The research team had previously developed a similar timing attack demonstrating that users of popular instant messengers such as Signal, Threema, and WhatsApp could be located using message reception reports.

Future directions and potential countermeasures

This study sheds light on the potential privacy risks and vulnerabilities in our seemingly mundane communication methods. It points towards the need for more secure protocols and privacy-preserving measures in mobile networks to protect users’ location data. It also opens the door for future research into potential countermeasures and improved security systems against such attacks.

We would love to know what our esteemed readers think about this revelation. Do you find the findings alarming, or do you consider them a part of our digital reality? Please share your thoughts with us in the comments section below!