Side-Channel Vulnerability in WhatsApp and Signal Enables Covert Phone Activity Tracking

Based on the information provided, a recently disclosed proof of concept (PoC) demonstrates a side-channel vulnerability in WhatsApp and Signal that allows attackers to covertly track the activity of a target phone. The attack is said to leverage variations in the round-trip time (RTT) of silent acknowledgments to infer the state of the target device. Specifically, the method involves sending probe reactions to invalid message IDs and measuring the RTT of the acknowledgments. By analyzing these timing variations, attackers can reportedly deduce information such as whether the phone's screen is on or off, or if the phone is online or offline. Notably, this tracking method does not generate any visible messages or notifications on the target device, making it particularly stealthy and difficult to detect. The open-source code and associated research paper are mentioned to provide detailed technical insights into the attack mechanism. This vulnerability, if confirmed, underscores the importance of considering side-channel attacks in the design and implementation of secure messaging applications. From a technical standpoint, the attack appears to exploit the inherent timing differences in message processing based on the target device's state. For cybersecurity professionals, this serves as a reminder of the evolving threat landscape and the need for continuous monitoring and mitigation of side-channel vulnerabilities. Users of WhatsApp and Signal should be aware of this potential privacy risk and consider additional security measures, such as using a VPN or limiting the exposure of their phone numbers. However, as the undersigned has not been able to verify the details from the provided URL, the above analysis is based solely on the information provided in the message. Readers are advised to refer to the original article for complete and accurate information.