A recent discovery by a PhD student of Northeastern University has revealed a potential vulnerability in text messaging that could expose smartphone users' location to hackers.
A woman uses a smartphone and a mobilephone in front of a laptop on April 3, 2019, in Abidjan. - According to the figures of the platform of the fight against cybercrime (PLCC) of the national police, nearly one hundred crooks of the internet, were arrested in 2018 in Ivory Coast, a country known for its scammers on the web, has announced on April 2, 2019 the Ivorian authority of regulation of the telephony
Sophisticated Machine Learning
PhD student in cybersecurity at Northeastern Evangelos Bitsikas and his research group employed a sophisticated machine-learning program to analyze data from the traditional SMS system, which has been used since the early 1990s and identified this concerning flaw.
Bitsikas explained that the vulnerability lies in the automated delivery notification feature of SMS. When a text message is sent, the recipient's phone automatically responds with a delivery notification.
By sending multiple text messages to a target phone, a hacker could leverage the timing of these automated replies to triangulate the user's location. What's worrying is that this could occur even if the user's communications are encrypted, according to the researchers.
"Just by knowing the phone number of the user victim and having normal network access, you can locate that victim," Bitsikas said in a statement. "Eventually, this leads to tracking the user to different locations worldwide."
Read Also: FeverPhone: This App Will Transform Your Smartphone Into a Thermometer Without Invasive Hardware
Location Fingerprint
The research demonstrated that the timing of each automated notification creates a location fingerprint. Using machine learning, the research group developed an algorithm capable of detecting and predicting these fingerprints.
With just the target's phone number and normal network access, an attacker could track the user's movements worldwide. So far, the vulnerability has primarily been observed in Android operating systems.
Although there's no evidence of it being exploited currently, Bitsikas cautioned that advanced attackers with ample resources could leverage this flaw to locate individuals such as government leaders, activists, and CEOs who value their privacy.
"The procedure might be difficult to scale. The attacker will need to have Android devices in multiple locations sending messages every hour and calculating the responses. The collection itself can take days or weeks depending on how many fingerprints the attacker wants to collect," Bitsikas noted.
Bitsikas emphasized that fixing this issue is not as straightforward as a software patch for smartphones. Instead, it necessitates a significant overhaul of the SMS infrastructure worldwide.
As a result, closing the window of opportunity for hackers to exploit this vulnerability might take considerable time and effort. In light of these findings, Bitsikas plans to continue his research to further explore and address this concerning vulnerability in smartphone systems.
The findings of the team were published in the journal arXiv.
Related Article: Daily Charging, Battery Below 5%, and Charging with a Phone Case Could Permanently Damage Owners' Smartphone Battery
