Careless Whisper: Your delivery receipts in WhatsApp and Signal reveal your location and activity
We live under the impression that by using messengers like WhatsApp or Signal, our privacy is almost absolutely protected. After all, the keyword "end-to-end encryption" (E2EE) acts like a soothing balm. While the content of our conversations indeed remains unreadable to outsiders, metadata—information about how and when we use the app—can leak in a wide stream.
Recent research conducted by a team from the University of Vienna and SBA Research sheds new light on the dangers stemming from a feature we all ignore: message delivery receipts. [cite_start]We are talking about those characteristic double gray "ticks" (or circles in Signal) that inform the sender that the message has reached the recipient's device. [cite: 5, 6, 82]
[cite_start]It turns out that these innocent technical notifications can be weaponized against us in an attack dubbed by the researchers as "Careless Whisper". [cite: 3]
What is "Careless Whisper"?
Most users know that "read receipts" (blue ticks) can be disabled to avoid the pressure of replying immediately. [cite_start]However, delivery receipts (confirmation that the server passed the message to the phone) cannot be turned off—they are an integral part of the protocol, necessary to maintain encryption key consistency. [cite: 20, 21, 79]
Researchers discovered a way to force the victim's phone to send such a receipt "silently." Normally, when someone sends us a message, the phone vibrates or makes a sound. This alerts the victim that something is happening. However, the researchers found loopholes in handling so-called control messages. [cite_start]For example, an attacker can send a reaction (emoji) to a non-existent message or a modified message that will be received, processed, and confirmed by the victim's app via a technical delivery report, but will not display any notification on the screen. [cite: 46, 213, 204]
[cite_start]This allows the attacker to "ping" the victim's phone with high frequency (even every second) while remaining completely unnoticed. [cite: 37, 47]
What can be read from "gray ticks"?
By analyzing the time elapsed from sending the ping to receiving the receipt (RTT – Round Trip Time), a cybercriminal can create a terrifyingly accurate profile of the victim's behavior. Here is what this side channel reveals:
- Are you looking at the screen: When the smartphone is idle (screen off), the processor slows down, and power-saving systems put network processes to sleep. The response to a ping takes longer (e.g., over 1 second). When the user is actively using the phone (screen on), the response is instantaneous. [cite_start]This allows a stalker or employer to know exactly when you are using your phone, even in the middle of the night. [cite: 39, 337, 338]
- [cite_start]Are you using the messenger: The researchers were able to distinguish moments when the user specifically has the WhatsApp or Signal app open versus when they are using other phone functions. [cite: 339, 348]
- Location and connection type: Response times differ significantly depending on whether the victim is using home Wi-Fi or a cellular network (LTE/5G). [cite_start]A sudden change in latency characteristics might suggest leaving home or arriving at the office. [cite: 35, 497, 499]
- Tracking multiple devices: Both WhatsApp and Signal support multi-device mode. Each connected device (e.g., a laptop with WhatsApp Web) sends its own receipt. [cite_start]An attacker can see when you turn on your computer, when you close your laptop lid, and even what operating system you are using, based on the order of received packets. [cite: 40, 48, 229, 501]
"Spooky Stranger" and Battery Drain
The worst news is who can conduct such an attack. In the case of WhatsApp and Signal, one does not need to be on the victim's contact list. Just knowing their phone number is enough. Researchers term this scenario "Spooky Stranger". [cite_start]This means anyone with your number can monitor your digital circadian rhythm. [cite: 144, 145]
Furthermore, this attack can be weaponized. By mass-sending "silent" packets that force the phone to constantly process cryptographic data, an attacker can drastically impact the victim's device performance. In tests, they managed to drain the battery by 15-18% in just one hour and consume over 13 GB of data traffic, which can be catastrophic for those with limited data plans. [cite_start]The victim only sees a rapidly depleting battery and a heating phone, unaware they are under attack. [cite: 13, 513, 518]
What do the app creators say?
The report is alarming as it concerns billions of users. [cite_start]Of the three examined (WhatsApp, Signal, Threema), only Threema proved resistant to the "Spooky Stranger" attack because it defaults to rejecting certain packets from people outside the contact list and does not send receipts in the same way. [cite: 237, 238, 240]
WhatsApp and Signal were informed about the flaws. Meta (owner of WhatsApp) acknowledged the report, but by the time of the paper's publication (October/November 2024), the issue had not been fully resolved. [cite_start]Signal implemented some rate limiting, which hinders battery-draining attacks, but user profiling is still possible at lower sampling frequencies. [cite: 608, 609, 521]
As users, we are in a difficult position. We cannot disable delivery receipts, and blocking numbers works only after the fact—when we already know who is attacking (and in this case, the attack is invisible). [cite_start]We are left waiting for security patches that will introduce random delays in sending receipts, which would blur the precise timing measurements necessary for this attack. [cite: 21, 561]
Aleksander
About the Author
Dyrektor ds. Technologii w SecurHub.pl
Doktorant z zakresu neuronauki poznawczej. Psycholog i ekspert IT specjalizujący się w cyberbezpieczeństwie.
Powiązane artykuły
Jeden adres, by rządzić (cyber)bezpieczeństwem. Co warto wiedzieć o nowym portalu cyber.gov.pl?
Polska cyberobrona to system o dwóch twarzach. Z jednej strony nowa witryna cyber.gov.pl, z drugiej – oficjalne przyznanie się do posiadania ofensywnej cyberbroni. Odkrywamy, jak działa ten dualizm.
Polska idzie na wojnę z dezinformacją. I sypie na nią rekordowe pieniądze
W 2026 roku Polska planuje przeznaczyć rekordowe środki na walkę z dezinformacją. Analizujemy, co kryje się za ambitnymi planami rządu, od wielkich kampanii społecznych po obronę kluczowej agencji cyberbezpieczeństwa, NASK.
Security Operations Center (SOC): Kompleksowy Przewodnik na 2026 | Budowa i Wdrożenie
Poznaj wszystko o Security Operations Center (SOC) - od budowy zespołu, przez technologie SIEM/XDR/SOAR, wymogi NIS2, modele wdrożenia, aż po przyszłość z AI. Praktyczny przewodnik dla CISO i menedżerów IT.
Komentarze
Ładowanie komentarzy...