Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers

Gabriel K. Gegenhuber, Maximilian Günther, Markus Maier, Aljosha Judmayer, Florian Holzbauer, Philipp É. Frenzel, Johanna Ullrich

TL;DR

The paper demonstrates that delivery receipts in popular mobile messengers can be exploited as timing side channels to infer precise device activity and multi-device usage, even for strangers who know only a phone number. It introduces stealth probing methods using message reactions that trigger receipts without user notifications, enabling high-frequency monitoring and potential resource exhaustion. The authors analyze WhatsApp and Signal (and Threema) across iOS/Android and multi-device setups, showing capabilities to fingerprint OS, device counts, screen time, and app activity, with real-world measurement. They propose mitigations like restricting receipts to real conversations, adding timing noise, rate limiting, and improved client validation, highlighting the need to balance usability with privacy in E2EE designs.

Abstract

With over 3 billion users globally, mobile instant messaging apps have become indispensable for both personal and professional communication. Besides plain messaging, many services implement additional features such as delivery and read receipts informing a user when a message has successfully reached its target. This paper highlights that delivery receipts can pose significant privacy risks to users. We use specifically crafted messages that trigger delivery receipts allowing any user to be pinged without their knowledge or consent. By using this technique at high frequency, we demonstrate how an attacker could extract private information such as the online and activity status of a victim, e.g., screen on/off. Moreover, we can infer the number of currently active user devices and their operating system, as well as launch resource exhaustion attacks, such as draining a user's battery or data allowance, all without generating any notification on the target side. Due to the widespread adoption of vulnerable messengers (WhatsApp and Signal) and the fact that any user can be targeted simply by knowing their phone number, we argue for a design change to address this issue.

Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers

TL;DR

The paper demonstrates that delivery receipts in popular mobile messengers can be exploited as timing side channels to infer precise device activity and multi-device usage, even for strangers who know only a phone number. It introduces stealth probing methods using message reactions that trigger receipts without user notifications, enabling high-frequency monitoring and potential resource exhaustion. The authors analyze WhatsApp and Signal (and Threema) across iOS/Android and multi-device setups, showing capabilities to fingerprint OS, device counts, screen time, and app activity, with real-world measurement. They propose mitigations like restricting receipts to real conversations, adding timing noise, rate limiting, and improved client validation, highlighting the need to balance usability with privacy in E2EE designs.

Abstract

With over 3 billion users globally, mobile instant messaging apps have become indispensable for both personal and professional communication. Besides plain messaging, many services implement additional features such as delivery and read receipts informing a user when a message has successfully reached its target. This paper highlights that delivery receipts can pose significant privacy risks to users. We use specifically crafted messages that trigger delivery receipts allowing any user to be pinged without their knowledge or consent. By using this technique at high frequency, we demonstrate how an attacker could extract private information such as the online and activity status of a victim, e.g., screen on/off. Moreover, we can infer the number of currently active user devices and their operating system, as well as launch resource exhaustion attacks, such as draining a user's battery or data allowance, all without generating any notification on the target side. Due to the widespread adoption of vulnerable messengers (WhatsApp and Signal) and the fact that any user can be targeted simply by knowing their phone number, we argue for a design change to address this issue.

Paper Structure

This paper contains 34 sections, 14 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Threat Model & Measurement Setup
  4. Attack Goals
  5. Attacker Types
  6. Messenger Selection
  7. Measurement Setup
  8. Side Channel Vectors
  9. Delivery Receipt Sources
  10. Stealthy Probing (Creepy Companions)
  11. Stealthy Probing (Spooky Strangers)
  12. Multi-Device Probing
  13. Summary of Probing Capabilities
  14. Attacks & Exploitation
  15. Tracking Users Across Devices
  16. ...and 19 more sections

Figures (14)

  • Figure 1: Round-trip times (RTT) of delivery receipts, which are $\le1$ second for Screen On states and $>1$ second and above for Screen Off states measured on an iPhone using WhatsApp with a sampling rate of 1 Hz.
  • Figure 2: Simplified depiction of client-fanout for Multi-Device-Support: Alice's message is sent to all of Bob's devices as well as her desktop device. Each message copy is individually encrypted. The recipient devices inform Alice's device of the successful decryption via delivery receipts.
  • Figure 3: A device's online status can be consistently and stealthily monitored with second-based granularity, possibly leaking the user's location and daily routines.
  • Figure 4: WhatsApp Screen On/Off: Measured with low frequency (1 ping per 20 s), RTTs enable to differentiate between inactive and active screen states.
  • Figure 5: WhatsApp Use: RTTs are 350 ms if the application is active (foreground). If minimized, RTTs become 500 ms for 30 s before eventually returning to 1 s screen on as typical for long-term app standby.
  • ...and 9 more figures