Neither WhatsApp nor Signal are “broken” in the core aspect users typically associate with security: end-to-end encryption still protects the message content. However, the latest security community alert serves as a reminder of the most common Achilles’ heel in messaging apps: metadata and, in this case, timing.
The news gained traction after the appearance on GitHub of a proof of concept (PoC) that implements ideas from the academic paper Careless Whisper, developed by researchers affiliated with University of Vienna and SBA Research. The goal of the PoC is to show that by measuring the round-trip time (RTT) of certain internal acknowledgments — those technical responses that keep the app functioning and syncing states — it’s possible to deduce whether a device is active, whether it is idle, or offline. In the medium term, the danger isn’t just “reading messages,” but reconstructing patterns: schedules, routines, and windows of activity.
The problem isn’t the “seen”: it’s the signal left by the infrastructure
In popular culture, privacy on WhatsApp is often discussed around the “blue double check.” However, academic work emphasizes that the most sensitive vector isn’t the read confirmation but the delivery reports, which cannot be disabled due to protocol design decisions. The paper argues that, with messages or interactions carefully crafted to generate “silent” acknowledgments, an attacker could “ping” a user without generating an obvious notification. From there, the clock does the rest: variations in milliseconds can become a useful signal to classify the device’s state.
In the related public presentation, the researchers illustrate a key point: when the phone is in use (screen on), acknowledgments tend to be sent more promptly; when in idle mode (screen off), measurable delays appear. In environments with multiple devices (mobile and web/desktop clients), the research also suggests that session coexistence can provide even more observational surface.
From theory to impact: low-friction surveillance and resource drain
The discussion becomes more serious when shifting from “this is interesting” to “this scales.” The study warns that the attack can be automated at high frequency and that the operational requirement is low: in the described scenario, simply knowing the phone number of the target suffices. This opens doors to problematic uses such as stalking, coercive control, or selective surveillance, even without access to the target’s account.
Besides activity profiling, the researchers mention another consequence: resource exhaustion. Under certain conditions, a sustained campaign of interactions could force the device to process traffic continuously. In their demo, the authors quantify notable resource drains (e.g., battery drain and data traffic per hour) and point out a practical difference: WhatsApp showed less rate limiting in their experiment, whereas Signal applied more friction, making abuse more difficult.
What is the platforms’ response?
According to heise, the media outlet contacted WhatsApp and Signal about the situation and possible measures or timelines. For WhatsApp, the response described by the media did not provide a concrete schedule nor clarify the exact limits of existing defenses. Signal, for its part, did not highlight any specific option capable of directly mitigating the issue for the user.
The core issue here is both technical and political: if the side-channel is confirmed exploitable in real-world conditions, the fundamental solution isn’t just “educating the user” (though that helps) but redesigning the system: damping or randomizing timing, tightening rate limits, implementing controls for interactions from unknown contacts, and reducing the utility of those acknowledgments as stable signals.
Mitigations for users and security teams: helpful but partial
For a tech-savvy audience, the key takeaways are twofold:
- This isn’t an encryption problem, but rather one related to metadata and system behavior.
- Current mitigations are incomplete, but there are reasonable steps to reduce exposure.
WhatsApp includes a feature aimed at curbing abuse from unknown accounts: blocking high volumes of messages from unknown contacts within advanced privacy settings. This can complicate high-frequency attacks from unsaved numbers, although the platform does not disclose the exact threshold, so it cannot be considered a “cure.”
It’s also important not to fall into a false sense of security: disabling read receipts may be advisable for everyday privacy, but the research indicates that it’s not enough to neutralize this vector, since it relies on delivery confirmations and other mechanisms that remain active.
For organizations (schools, companies, governments), the approach should change: besides adjusting privacy settings, messaging should be considered part of the risk surface, and training on metadata should be reinforced—not just on content. Modern security isn’t only about “what you say,” but about “what signals you emit unintentionally.”
FAQs
What is an RTT attack in messaging apps, and why does it affect WhatsApp and Signal?
It’s a technique based on measuring the round-trip time of technical acknowledgments. If those times vary depending on the device’s state, they can serve as signals to infer activity even with encryption enabled.
Does disabling “seen” on WhatsApp help prevent this type of tracking?
It improves privacy during daily use but the research shows it doesn’t protect against delivery confirmations or internal responses that don’t depend on the “seen” status.
What specific settings can help against abuse from unknown numbers in WhatsApp?
Enabling the option to block high volumes of messages from unknown contacts in Settings → Privacy → Advanced can reduce repeated attempts, but it doesn’t guarantee complete protection.
What should WhatsApp and Signal implement to solve the root problem?
Design changes: more rate-limiting, reducing exploitable acknowledgments from unknown contacts, and techniques like “padding” or timing randomization so that RTT isn’t a reliable signal.
Source: Security news