To content
Researchers Detect Security Gap

Delivery Confirmation in Messenger Apps Reveals Recipient’s Location

-
in
  • Top News
  • Research
Various icons of messenger apps can be seen on a display. © Thomas Ulrich​/​Pixabay
From the time interval between the appearance of a delivery confirmation on messenger apps, it is possible to determine the location of the target phone under certain conditions.

An international research group led by Dr. Theodor Schnitzler from TU Dortmund University has detected a vulnerability in messenger services: It is possible to distinguish different locations of a person in your contact list by measuring how long it takes until a message is delivered. The results of the paper, which has already been peer-reviewed, have now been published as a preprint and will be presented at an international symposium in the USA next spring.

WhatsApp, Threema and Signal users are familiar with the following procedure: After sending a message, it is marked with a check mark. As soon as the message has reached its recipient, a second check mark appears as confirmation. Under certain conditions, however, the time span between the first check mark appearing and then the second one can be used to establish where the target cell phone is located, as a research team led by Dr. Theodor Schnitzler has discovered.

Data traffic analyzed by software

Dr. Schnitzler began his research work on this topic during his doctoral degree at Ruhr-Universität Bochum (RUB) and completed it at the Research Center Trustworthy Data Science and Security of the University Alliance Ruhr at TU Dortmund University. During a stay in Abu Dhabi, he and his international colleagues noticed that it took longer than usual until a Messenger message sent to Germany was marked as received with the second check mark. To study this phenomenon, they connected a smartphone to laptop software that sent a message every ten seconds to recipient cell phones in Germany, the Netherlands, Greece and the United Arab Emirates, and then analyzed the data traffic that occurred.

Portrait of Dr. Theodor Schnitzler © Martina Hengesbach​/​TU Dortmund
Dr. Theodor Schnitzler is conducting research at the Research Center Trustworthy Data Science and Security of the University Alliance Ruhr at TU Dortmund University.

They discovered that there was a characteristic time span until the delivery confirmation arrived – depending on the destination country. With this information, they were able to determine in reverse and with an accuracy of 74% (Signal and WhatsApp) and 84% (Threema) in which of these countries the recipient device was located. In a second step, the researchers repeated the experiment on a local level and sent messages via the software to smartphones in various cities and towns in the Ruhr region. Here, too, they were able to measure a characteristic delivery time depending on the location and then determine the location of the recipient cell phone with an accuracy of over 90% in some cases. It is also possible to read very reliably from the data whether the receiving device is in a WLAN network or using mobile internet.

Profile of a person must be known

However, the data can only be interpreted with prior knowledge. "It is not possible to establish distances by measuring time," explains Schnitzler. In addition, messenger apps only send delivery confirmation if the recipient has saved the sender's cell phone number in their contacts, meaning that it is not possible to identify the previously unknown locations of just any cell phone number using this method. "But if you already know where the smartphone is usually located – for example because you know where a person lives, works or goes to the gym – you can use software to measure the characteristic time span until the delivery confirmation is sent and find out later whether the person concerned is in one of those places by sending them a message."

In certain situations, the method could nevertheless pose a safety risk, for example in the context of stalking.

Schnitzler and his co-researchers Katharina Kohls (Radboud University, Netherlands) and Evangelos Bitsikas and Christina Pöpper (New York University Abu Dhabi) will present their paper in spring 2023 at the prestigious Network and Distributed System Security (NDSS) Symposium in San Diego, USA. In it, they already suggest ways to eliminate the vulnerability: For example, the delivery confirmation could be given a random time delay in the range of a few seconds, which prevents the sender from establishing the recipient's location. Or the messenger services could provide their users with the option to switch off delivery confirmations entirely. Threema has already announced that it plans to check the issue.

Link to the preprint

Contact for inquiries:

Cafeteria menus

Location & approach

The campus of TU Dort­mund University is located close to interstate junction Dort­mund West, where the Sauerlandlinie A 45 (Frankfurt-Dort­mund) crosses the Ruhrschnellweg B 1 / A 40. The best interstate exit to take from A 45 is “Dort­mund-Eichlinghofen” (closer to South Campus), and from B 1 / A 40 “Dort­mund-Dorstfeld” (closer to North Campus). Signs for the uni­ver­si­ty are located at both exits. Also, there is a new exit before you pass over the B 1-bridge leading into Dort­mund.

To get from North Campus to South Campus by car, there is the connection via Vogelpothsweg/Baroper Straße. We recommend you leave your car on one of the parking lots at North Campus and use the H-Bahn (suspended monorail system), which conveniently connects the two campuses.

TU Dort­mund University has its own train station (“Dort­mund Uni­ver­si­tät”). From there, suburban trains (S-Bahn) leave for Dort­mund main station (“Dort­mund Hauptbahnhof”) and Düsseldorf main station via the “Düsseldorf Airport Train Station” (take S-Bahn number 1, which leaves every 15 or 30 minutes). The uni­ver­si­ty is easily reached from Bochum, Essen, Mülheim an der Ruhr and Duisburg.

You can also take the bus or subway train from Dort­mund city to the uni­ver­si­ty: From Dort­mund main station, you can take any train bound for the Station “Stadtgarten”, usually lines U41, U45, U 47 and U49. At “Stadtgarten” you switch trains and get on line U42 towards “Hombruch”. Look out for the Station “An der Palmweide”. From the bus stop just across the road, busses bound for TU Dort­mund University leave every ten minutes (445, 447 and 462). Another option is to take the subway routes U41, U45, U47 and U49 from Dort­mund main station to the stop “Dort­mund Kampstraße”. From there, take U43 or U44 to the stop “Dort­mund Wittener Straße”. Switch to bus line 447 and get off at “Dort­mund Uni­ver­si­tät S”.

The AirportExpress is a fast and convenient means of transport from Dortmund Airport (DTM) to Dortmund Central Station, taking you there in little more than 20 minutes. From Dortmund Central Station, you can continue to the university campus by interurban railway (S-Bahn). A larger range of international flight connections is offered at Düsseldorf Airport (DUS), which is about 60 kilometres away and can be directly reached by S-Bahn from the university station.

The H-Bahn is one of the hallmarks of TU Dort­mund University. There are two stations on North Campus. One (“Dort­mund Uni­ver­si­tät S”) is directly located at the suburban train stop, which connects the uni­ver­si­ty directly with the city of Dort­mund and the rest of the Ruhr Area. Also from this station, there are connections to the “Technologiepark” and (via South Campus) Eichlinghofen. The other station is located at the dining hall at North Campus and offers a direct connection to South Campus every five minutes.

The facilities of TU Dortmund University are spread over two campuses, the larger Campus North and the smaller Campus South. Additionally, some areas of the university are located in the adjacent “Technologiepark”.

Site Map of TU Dortmund University (Second Page in English).