At a Glance
WhatsApp is a secure messaging app that uses end-to-end encryption to ensure that only the sender and its intended recipient can view the message. End-to-end encryption is enabled by default in WhatsApp, meaning no one other than you and the person you’re messaging with can read the message, not even Meta, who owns WhatsApp.
Unfortunately, not everything related to WhatsApp is so well protected. This article will concentrate on one of these unprotected bits of information, the ability to discover your location with a high level of accuracy. I will explain how this method of locating you works, and what you can do to protect yourself while using WhatsApp.
How Can My Location Be Exposed on WhatsApp?
Security researchers in 2022 discovered a method of determining the location of WhatsApp users by using a carefully crafted timing attack. The method in question has a high accuracy rate.
Attackers send the targeted user a message and measure the time it takes to be received based on the message delivery notification sent to the attacker.
No matter which device you use, WhatsApp is vulnerable to this timing attack. This is due to the way mobile networks and messaging server infrastructure are configured, which determines the path a message will take for delivery. This results in predictable delays in delivery according to the location of the targeted user.
So, exploiting this method, I can send you a WhatsApp message, and then track how long it takes to receive the delivery notification for the message (Note, I will time the delivery notification, not the read notification, as that depends on the recipient reading the message which can vary wildly, depending on the recipient). Once I know the length of time it took the message to be received, I can calculate the distance the message traveled to reach you.
As you might imagine, you must be able to time the message being received with great accuracy in order to properly calculate distance. Luckily (or unluckily for victims), you can easily measure the timing by running a packet capture application like Wireshark.
Using the timing data, the bad actors will need to establish a baseline for comparison. So, the attacker must first message the targeted user when they’re at a known location, sending the target a message when they know they’re at home, then determining how long it takes to receive the delivery notification. Those steps must be repeated when the targeted user is at work, the grocery store, and other known locations.
Once the calibration data has been collected, the bad actors can use the information to determine a target’s location, even when the attacker doesn’t already know where they are. They can do this by timing the notifications, and then matching that timing against the list of known locations and their timing.
The researchers determined that the above timing attack could allow bad actors to determine the target’s city or country, no matter if they are connected to a 4G/5G cellular network or have a WiFi connection.
What Are the Dangers of Location Tracking?
It’s more than a little bit scary that a “secure and private” messaging app could be vulnerable to what amounts to a simple timing attack. Think of it as the virtual version of counting “one-one-thousand, two-one-thousand, three-one-thousand” when you see a lightning bolt, stopping only when you hear the thunder. Unfortunately, bad actors could use your location information to cause a significant number of problems.
Having your location revealed can also reveal information about how we live our lives. This makes location data some of the most valuable information that can be collected and sold to data vendors.
Just some of the possible dangers of location tracking include:
- Stalking
- Theft
- Domestic abuse
- Blackmail
- Swatting
- Doxxing
As you can see from the list above, a bad actor can track your movements over time, making you vulnerable to all kinds of attacks.
Is This WhatsApp Attack as Easy as it Sounds?
Luckily, this attack cannot be pulled off by simply sending a message to a targeted individual and using a stopwatch to measure the time it takes to receive a delivery notification.
First of all, this attack cannot be launched by a random stranger. The bad actor must have previously messaged with the target on WhatsApp for the attack to work.
The attacker must also use a packet capture application – like Wireshark – to discern which network packets are connected to the delivery notification (the packets can be identified by their structure pattern or by their size).
Once the attacker identifies the packets, they can attempt to match the response time to the various known locations of the user by referencing the calibration data they have previously collected.
How Can I Prevent Someone From Determining My Location?
There are ways to foil this type of attack, and the mitigation measures can be performed on both the server side of things (WhatsApp developers) or on the client side (WhatsApp users).
Server-Side Defenses Against the WhatsApp Attack
During testing of this scheme, researchers found that occasionally the target’s smartphone would idle, which affected the timing of the delivery notices and negated that specific timing attempt.
This led to a recommendation to developers to randomize the amount of time that it would take for the sender to receive a delivery notification. By picking a random amount of time between 1 and 20 seconds, the timing attack was rendered impotent, while still providing a delivery notification.
Client-Side Defenses Against the WhatsApp Attack
While a smartphone user could usually foil a location discovery attack by simply disabling location services on their device, that won’t help block an attack like this. However, there is a way to affect the results of a timing attack like I’ve been describing, using a VPN while communicating over WhatsApp.
By using a VPN with WhatsApp, you will add latency to your connection, throwing off the timing calculations used by the attackers, thus making it nearly impossible to determine your location. While there are several VPNs you could use for this purpose, I strongly recommend you use NordVPN, or one of the VPNs I have tested with WhatsApp.
I recommend connecting to a VPN server located on the other side of your current country. Or, you could even connect to a VPN server located in another country. This will add plenty of latency to your connection, throwing off the timing of delivery notifications to a greater degree.
Changing servers periodically will also throw off an attack. If you connect to a server in Atlanta, then later on you connect to one located in the United Kingdom, you’re going to add plenty of randomness to the timing data the bad guys collect.
WANT TO TRY THE TOP VPN FOR WHATSAPP RISK-FREE?
NordVPN offers a risk-free 30-day trial that allows you to try out all of the provider’s features with no risk. This is a great way to test the service before making a long-term subscription commitment.
If you decide NordVPN isn’t the right VPN for you, just contact support within the 30-day money-back guarantee period, and you'll get a full refund. Start your 30-day NordVPN trial here.
In Conclusion
Now that we’ve taken a look at how a timing attack can reveal your location while using WhatsApp, you’re forewarned, which is forearmed. We’ve also taken a look at how you can easily foil such an attack by using a VPN to insert timing delays in the delivery notification process.
Remember, no app or operating system is completely secure. However, by taking a few extra steps to protect yourself and your devices, you can better keep the bad actors
