Evangelos Bitsikas, who is pursuing a PhD in cybersecurity at the Northwestern University in the US, applied a new machine-learning program to data gleaned from the SMS system of mobile devices.

Receiving an SMS inevitably generates Delivery Reports whose reception bestows a timing attack vector at the sender. Bitsikas developed an ML model enabling the SMS sender to determine the recipient’s location with a 96% accuracy for locations across different countries, the researcher says in a study.

The basic idea is that a hacker would send multiple text messages to the target phone, and the timing of each automated delivery reply creates a fingerprint of the target’s location. These fingerprints have ever been there but weren’t a problem until Bitsikas’ group used ML to develop an algorithm capable of reading them. They can be fed into the machine-learning model, which then responds with the predicted location.

According to the researcher, it doesn’t matter whether or not the communication is encrypted.

  • interolivary@beehaw.org
    link
    fedilink
    arrow-up
    53
    ·
    1 year ago

    So it’s not actually a smartphone vulnerability as much as it is an SMS (or any other similar system with delivery receipts) vulnerability? Your old brick of a Nokia phone would have this same problem

    • Kazumara@feddit.de
      link
      fedilink
      arrow-up
      20
      ·
      1 year ago

      Yes, especially since the delivery report is generated by the SMCS, not the end device.

    • 0x815@feddit.deOP
      link
      fedilink
      arrow-up
      5
      arrow-down
      16
      ·
      1 year ago

      So it’s not actually a smartphone vulnerability as much as it is an SMS vulnerbility?

      It indeed is, that’s right. I changed the headline. Thanks.