Does this mean that hackers can do what corporates did for years now?
this post was submitted on 28 Jul 2023
76 points (90.4% liked)
Technology
60098 readers
1852 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 2 years ago
MODERATORS
Closing the vulnerability would require an overhaul of the global SMS system, Bitsikas says.
Would it really be that hard to add a 200-1000ms random delay before sending the receipt and making statistical analysis moot?
Carriers could easily even delay the forwarding of the receipt to aim for constant-time. Probably not a trivial software update, but I wouldn't call it a major overhaul.
Timing attacks aren't exactly new.
...you know for anyone that thought cell service was safe...
Interesting, I guess a mobile hotspot and use your phone without its sim card with WiFi on connected to the hotspot would protect against this.
A mobile hotspot is effectively just a mobile without a screen. It would only provide protection from this exploit if sms was fully disabled
The hotspot would have its own sim card not the one that was in your phone. The one in your phone was removed in this case. The number of the hotspot is not known to the attacker and the phone can still be used for calls and texts via signal or WhatsApp or whatever
But then you won't get any SMSes. A better option would be to use a second Android device with your main SIM, and use call forwarding and an SMS proxy app. Or you could get a virtual number online, and give that number out to people, and keep your main number private.
That is very serious. Unfortunate to see.
It's not that serious.
"The procedure might be difficult to scale. The attacker will need to have Android devices in multiple locations sending messages every hour and calculating the responses. The collection itself can take days or weeks depending on how many fingerprints the attacker wants to collect.
"Not only are the collection and the analysis difficult, but then you have also the problem of sufficiently and appropriately configuring the machine-learning model, which is related to deep learning."
The concern, says Bitsikas, is that a deep-pocketed organization could exploit the flaw to locate government leaders, activists, CEOs and others who desire to keep their whereabouts private.
TLDR this requires a big infrastructure, planning, and a ML model tailored specifically towards you, which means this only really affects big targets like public figures - who wouldn't be using SMS in the first place if they value privacy.
view more: next ›