Evangelos Bitsikas, who is pursuing a PhD in cybersecurity at the Northwestern University in the US, applied a new machine-learning program to data gleaned from the SMS system of mobile devices.
Receiving an SMS inevitably generates Delivery Reports whose reception bestows a timing attack vector at the sender. Bitsikas developed an ML model enabling the SMS sender to determine the recipient’s location with a 96% accuracy for locations across different countries, the researcher says in a study.
The basic idea is that a hacker would send multiple text messages to the target phone, and the timing of each automated delivery reply creates a fingerprint of the target’s location. These fingerprints have ever been there but weren’t a problem until Bitsikas’ group used ML to develop an algorithm capable of reading them. They can be fed into the machine-learning model, which then responds with the predicted location.
According to the researcher, it doesn’t matter whether or not the communication is encrypted.
This is unlikely to work for internet messaging services. If you’re finding the location of the phone based on the location of the tower that delivers the message to the phone, the analogous part in modern internet messaging services would be a cloud server in a cloud data center hub. There are few of these in the world, so even if you could narrow it down that way, you’d end up with vague locations like “western North America” or “Europe”.
Additionally, the routing of messages in internet messaging services is usually not so sophisticated. You can only tell the difference between sending a message to somebody from their east and sending a message to somebody from their west if the message is taking a different route to get to the user based on the physical direction. If the path of the message is always sender->infrastructure->central database->infrastructure->receiver, you change only change the sender->infrastructure and maybe the infrastructure->central db latency. Without being able to change the path the message takes back out of the system to the target, you can’t gain any useful information.
It should work with direct IP networking, but for locating IP addresses we already have location databases and traceroute so it wouldn’t be necessary. Maybe it could work if there was a pseudo p2p service where clients connect to the nearest Cloudflare edge compute node or something and then the nodes connect directly between each other at the IP layer, because in that case you would be going through sufficiently sophisticated internet routing but the target’s IP wouldn’t be available for a less sophisticated and more accurate approach.