Side-Channel Attack "Careless Whisper" Enables Tracking of Phone Activity via WhatsApp and Signal

A researcher has demonstrated a proof of concept (PoC) for a side-channel attack named "Careless Whisper," which allows tracking of a device's activity status (such as screen on/off, offline status) through WhatsApp and Signal. The technique involves sending probe reactions via an unofficial API and measuring the round-trip time (RTT) of silent receipts to infer usage patterns, including network type (Wi-Fi vs. mobile data) and sleep states. This method does not trigger any notifications or visible messages on the target device, although it does result in slight increases in data usage and battery consumption. The researcher notes that the same approach is effective against Signal. Technically, this attack exploits variations in RTT to deduce the state of the target device. The reliance on an unofficial API suggests that access control and monitoring of such interfaces could be potential mitigation strategies. The privacy implications of this attack are significant, as it allows for the inference of user activity patterns without their knowledge or consent. While the attack does not involve direct data exfiltration, the ability to track usage patterns could be exploited for surveillance purposes. For cybersecurity professionals, this underscores the importance of considering side-channel attacks in threat modeling and risk assessments. It also highlights the need for transparency and user education regarding potential privacy risks associated with messaging applications. However, the full details and implications of this attack may not be entirely clear from the provided information. Further analysis of the original research would be necessary to fully understand the scope and potential countermeasures.