According to the report, this method works regardless of whether the communications are encrypted, making it concerning for user privacy. The vulnerability has been seen in Android operating systems, but there is no evidence of active exploitation yet.
Researchers have found a new smartphone vulnerability in text messaging that could allow attackers to trace users’ locations. Using a machine-learning program on data from the SMS system, the research group exposed this flaw, allowing hackers to locate victims just by knowing their phone numbers.
According to the report, this method works regardless of whether the communications are encrypted. The vulnerability has been seen in Android operating systems, but there is no evidence of active exploitation yet.
The research group, led by Evangelos Bitsikas, a US-based-Northeastern University PhD student, exposed the flaw by applying a sophisticated machine-learning programme to data gleaned from the relatively primitive SMS system that has driven texting in mobile phones since the early 1990s, Northeastern Global News reported.
“Just by knowing the phone number of the user victim, and having normal network access, you can locate that victim. Eventually, this leads to tracking the user to different locations worldwide, ” said Bitsikas.
SMS security has seen only slight improvements since its introduction for 2G networks three decades ago. When users receive a text message, their phone sends a delivery notification to the sender as a receipt.
Hackers could exploit this by sending multiple text messages to users’ phones. By analysing the timing of automated delivery replies, the hacker can pinpoint the user’s location, even if their communications are encrypted.
“Once the machine-learning model is established, then the attacker is ready to send a few SMS messages. The results are fed into the machine-learning model, which will respond with the predicted location,” Bitsikas said.
Moreover, the report mentioned that Bitsikas has discovered no evidence that the vulnerability, which has so far been exploited through Android operating systems, is actively being exploited. “This does not mean that (hackers) aren’t going to make use of it later on,” Bitsikas said.
Scaling this procedure could be challenging for attackers. To accomplish it, they would require Android devices in various locations sending messages every hour and analysing the responses. Building a collection of fingerprints might take days or weeks, depending on the attacker’s goals.