A Ph.D. student at Northeastern University, Evangelos Bitsikas, has recently discovered a potential vulnerability in text messaging.
His research group has revealed that hackers could use it to track user location just by knowing their phone number.
New smartphone vulnerability discovered
Bitsikas and his team have applied a sophisticated machine-learning program to data from the SMS system that was used in texting in the 90s.
When you receive a text message, the sender automatically receives a notification, which acts as a receipt of delivery.
Relying on this, an attacker could send you multiple SMSes and use the timing of the automated notifications to learn where you are at that moment.
This is because the timing of it leaves a fingerprint of your location. It does so even when your communications are encrypted.
Using machine learning, the research team has created an algorithm that can use those fingerprints to detect the receiver’s location.
However, the researchers found no evidence that cybercriminals have used this scheme so far. One of the reasons for this may be that operations like this may be difficult to scale.
The attacker would need to send the victim texts from multiple locations and calculate all notifications they receive. This could take a lot of time and be expensive to carry out.
Still, Bitsikas sees no reason why a deep-pocketed hacker group wouldn’t be able to pull it off.
With such a big threat on the horizon, users are wondering what will happen after this discovery.
Bitsikas is afraid that the vulnerability could be difficult to deal with. It wouldn’t be enough to just release a patch for smartphone devices. Instead, it would take a large overhaul of the SMS infrastructure worldwide to fix it.
He also said that he and his team have limited resources and lack the data science expertise to learn all about the problem.
Still, they’ve already had their research verified by the Global System for Mobile Communications (GSMA).
The organization has acknowledged the findings and confirmed that this error could be difficult to tackle. It said this is due to the costs and effort it would take to create a complete countermeasure.
However, the GSMA said it will apply some fixes that will make it even more difficult to carry out such an attack.
Next, Bitsikas and his group will present their research formally at the 32nd USENIX Security Symposium. The event will take place in Anaheim, California between August 9 and August 11.
For users who fear that hackers may already be exploiting the vulnerability, using a VPN app to prevent location tracking is a good idea. Most services come with extra security features that help keep personal information safe.
There’s no doubt many smartphone users are waiting for more information on the topic and we will continue to follow it.