"Careless Whisper" side-channel attack affects WhatsApp and Signal
39 points by jeremiahlee
39 points by jeremiahlee
Ok, that’s why this functionality is required and cannot be artificially delayed. But no mention of why the client is ack’ing reactions to messages that don’t exist on its end, or at least reporting them to the server after some threshold so abusers can be detected.
Yeah, these sorts of attacks are inevitable in any low latency network service.
I do think that we need to be more proactive about spam and degrade privacy protections based on heuristics. I agree with you that client side detection and automatic reporting of this behavior would be an appropriate privacy trade-off and effective mitigation in this case.
However, purely client side heuristics for more complex cases can be easy to bypass because spammers have access to those filters too. For example, Matrix struggles with child porn spamming and any client side image scanning service can be trivially bypassed. Instead, new messages from new accounts (for example) could be blurred and the user prompted to enable external scanning (at least for the first few messages).
Probably because they want to achieve low latency / low computational overhead. However I would argue making it transparent when this is happening would also solve the issue. Based on that info one could take additional steps.
From that response:
It's great to see one of the authors of the paper acknowledging some of the limitations with the approaches that have been presented.
Yet, I don't see the author acknowledging any limitation whatsoever above that response. This is textbook public relation damage control bullshit to me.
This illustrates one of the reason I dislike and distrust Signal. Yes, it's much better than the other centralised alternatives, no doubt about it. But its top-down, selfhosting-adverse, corporatey approach is bound to enshittification. Yes, they are a non-profit, for now, and it seems to work fine with benefactors' dollars — some of which are technofascists, which should be a red flag IMHO. Wasn't OpenAI some sort of non-profit too (maybe it still is?)? Did that guarantee alignment with the public interest?
Yet, I don't see the author acknowledging any limitation whatsoever above that response.
In the immediately preceding post the author said this:
Force a specific distribution of receipts on the client side (as discussed here). This will not be perfect, but it would have an immediate effect by making it much harder in practice to extract useful information from receipts.
and:
Keep in mind, this will not be a solution against the various "is online" side-channels, but make it harder for an attacker to extract more information from receipts.
I think that's pretty clearly acknowledging there are limitations to these solutions.
top-down, selfhosting-adverse
This is also a reason I dislike Signal. But we also should not let the perfect be the enemy of the good. Signal has gained significant mindshare among "regular" users, and is many many times better than the centralised alternatives for many reasons.
It seems to work fine with benefactors' dollars — some of which are technofascists, which should be a red flag IMHO
I don't know who you're referring to specifically, but I think in USA tech VC circles there seems to be a strong aspect of groupthink (with a strong whiff of opportunism, paying lip service to the current administration). In other words, you'd be hard pressed to find VCs who are not ostensibly "technofascists".
Note for moderators: I submitted with non-clickbait title. The article's title is "Free spy tool can track 3 billion WhatsApp users, drain batteries and data limits".
So you can see if someone is engaged with your conversation and this is a timing attack of some kind? Based on routing I guess this would leak no more information than the number of hops between you and your conversation partner.
Does anybody remember when things like Tinder were publishing exact distance information between people allowing triangulation? They solved it by essentially chopping off the more detailed bits in the lat-longs they used for that calculation, plus minor additional obfuscation. This side channel, by comparison, probably can't tell you which country your conversation partner is even in without significant additional resources.
It doesnt have to be your conversation, it tells you if the app is open, or if the device is locked or not. From that you can deduce when the victim wakes up or goes to sleep, for example.
Adding to cosarara's comment, it's also possible to distinguish between different network connections.
E.g., if your home and work wi-fi have different RTT distributions, you can figure out where they are. Or if the variance jumps up in a certain time period, maybe they were traveling and switching towers a bunch (dunno precisely how mobile timing is)?