SMS Location Identification Attack is a new location method that does not require access to the infrastructure
Browsing the subreddits I came across a piece of news that caught my attention. and it is that recently a group of researchers from Northeastern and New York universities announced that they have developed a technique for estimating the location of an SMS recipient by analyzing SMS delivery delays.
It is mentioned that the method developed lets know the sender of an SMS message to determine the country in which the recipient is located, with an accuracy of up to 96%.
The central idea is that receiving an SMS inevitably generates delivery reports whose reception grants a time attack vector to the sender. We conducted experiments in various countries, carriers, and devices to demonstrate that an attacker can deduce the location of an SMS recipient by analyzing time measurements of typical recipient locations. Our results show that after training an ML model, the SMS sender can accurately determine multiple recipient locations.
The method It is interesting because it does not require access to the level of the operator's infrastructure, is implemented on the side of a regular client and can be applied imperceptibly by sending SMS "silent" files that are not displayed to the recipient. As information to determine the location, the delivery delay is used, calculated taking into account the time that elapses from the moment the SMS is sent until the delivery notification service (CP-ACK) arrives from the backbone and delivery network (SMS- DR, Delivery Report) of the operator through which the recipient works.
To compare delay and location, a machine learning system was used, whose model was trained based on measured delays for typical locations calculated relative to the sender's current location.
About How does the developed method work? it is mentioned that the attack is carried out in two stages:
- The preparatory stage is carried out when the attacker knows where the device under test is located. The attacker periodically sends a series of SMS type zero (Silent SMS or SMS Type 0) and times the receipt of a delivery notification. The known location parameters are compared to the measured delay data.
- In the second stage, data on delivery delays is blindly accumulated and the location is calculated based on the built machine learning model and solving the forecasting problem step by step: first the continent is determined, then the country and then the region.
Depending on the movement patterns of the victim and the locations observed in the preparation phase, the classification
occurs in multiple iterations. Therefore, the classification problem is split into a step-by-step location prediction problem involving multiple location identifications.
Regarding the countermeasures to counter the detection of delays, it is mentioned that these SMS-DR messages can be blocked on the carrier side, or use "SMS Home Routing" in non-transparent mode, in which the recipient's operator issues a delivery response instantly, regardless of where the subscriber is.
The devices that participated in the experiment were located in the United States, the United Arab Emirates and seven European countries, and covered ten telecom operators with different types of mobile networks (LTE, LTE+, 5G NSA). When trying to determine the location of the recipient within the country, the accuracy in separating the two regions in Belgium was 86%, in Germany 68%, in Greece 79%, in the United Arab Emirates 76%.
The technique too can be used to reliably determine whether the recipient is abroad or not, or to clarify in which of the places that the user usually visits, he is currently.
Finally, if you are interested in being able to learn more about it, you should know that the code with the implementation of the method and the machine learning model used by the researchers will soon be published on GitHub and you can check the details. In the following link.