Does this mean that hackers can do what corporates did for years now?
deleted by creator
Closing the vulnerability would require an overhaul of the global SMS system, Bitsikas says.
Would it really be that hard to add a 200-1000ms random delay before sending the receipt and making statistical analysis moot?
Carriers could easily even delay the forwarding of the receipt to aim for constant-time. Probably not a trivial software update, but I wouldn’t call it a major overhaul.
Timing attacks aren’t exactly new.
…you know for anyone that thought cell service was safe…
Interesting, I guess a mobile hotspot and use your phone without its sim card with WiFi on connected to the hotspot would protect against this.
A mobile hotspot is effectively just a mobile without a screen. It would only provide protection from this exploit if sms was fully disabled
The hotspot would have its own sim card not the one that was in your phone. The one in your phone was removed in this case. The number of the hotspot is not known to the attacker and the phone can still be used for calls and texts via signal or WhatsApp or whatever
But then you won’t get any SMSes. A better option would be to use a second Android device with your main SIM, and use call forwarding and an SMS proxy app. Or you could get a virtual number online, and give that number out to people, and keep your main number private.
That is very serious. Unfortunate to see.
It’s not that serious.
"The procedure might be difficult to scale. The attacker will need to have Android devices in multiple locations sending messages every hour and calculating the responses. The collection itself can take days or weeks depending on how many fingerprints the attacker wants to collect.
“Not only are the collection and the analysis difficult, but then you have also the problem of sufficiently and appropriately configuring the machine-learning model, which is related to deep learning.”
The concern, says Bitsikas, is that a deep-pocketed organization could exploit the flaw to locate government leaders, activists, CEOs and others who desire to keep their whereabouts private.
TLDR this requires a big infrastructure, planning, and a ML model tailored specifically towards you, which means this only really affects big targets like public figures - who wouldn’t be using SMS in the first place if they value privacy.
