TIL about SMS Delivery Reports and I Googled to learn how to enable them in the native SMS messaging app on my mobile device!
I didn't have time to read the whole doc. Did it say how many SMS Delivery Reports were needed to create the model? I saw this "We repeated the classification for every combination of locations in our dataset, with sample sizes varying from 100 to 500"
I think getting 100 messages from a (series of) unknown number(s) would be alarming, but after reading this, I now know that it's a sign that I need to ... get a new burner phone and increase the size of my security detail? :^)
In all seriousness... I've been getting several SMS messages from unknown numbers every day, as well as several 0:02 second empty voicemails every day. I've had my phone number for 17 years, and it's tied to so many things that I don't want to change it. I'm a pretty low value target for someone to be stalking my location with such a sophisticated method. Should I be worried that this is more than just spam?
If your phone receives a message with certain data fields properly set, the message will be discarded without becoming visible to the user, or the user visible indication may not be obvious (sending a SMS to indicate there are / are not voicemails). If the sender had requested a delivery report and the carrier (and all intermediaries) forwards the message with the delivery report request intact, and the device sends a delivery report in response, and the carrier forwards the delivery report back to the original sender, the sender may be able to infer something from when they receive the delivery report.
This is a feature the Netherlands police actually uses to track phone locations.
It’s possible to send a “silent sms” to a handset and by doing so you can discover where the receiving handset is located. This is undetectable by the user of the handset unless they use a rooted device and monitor all incoming sms payloads.
I'm kind of surprised that rooting the device allows the user of the device to become aware. It seems like the sort of thing that the baseband layer would handle without passing anything at all to the main OS. At least for the messages designed for stealth. Obviously the messages meant to influence the UI (like voicemail status) need to make their way to the OS.
I assume from the point of view of the baseband processor these are all messages meant to influence the UI, and the silent messages sent by police are an "abuse" of the feature
Anybody can send corrupt messages that the device won't show; getting your phone to send its GPS coordinates is a part of the GSM standard, but only your operator can send that kind of request (or the cops if they stingray you).
There is a category of sms that won't show up in your inbox. Think of them as messages for your baseband/ system. But they will result in delivery messages. They used to be quite well used in the Nokia era.
Because they are extremely unreliable and behave in bizarre and unexpected ways. Phone carriers do all kinds of broken and lazy stuff if they think they can get away with it without their subscribers noticing. Source: I used to work at Twilio, we sent a lot of text messages.
SMSes have confirmed delivery. If the SMSC does not get the confirmation (on lower protocol layer, nothing to with delivery reports) it will send the SMS again. So duplicate delivery is possible. Because there is no unique identfier, the phone cannot eliminate such duplicate.
Delivery reports are best effort. The phone just sends them, but if the reception fails they are lost.
I live in a country with excellent mobile coverage, worked in the GSM industry already in the 1990s and have seen double delivery or missing report only less than a handfull of times in 25 years.
When I travel abroad I'm shocked how bad the network is in some industry countries. Many bizarre things happen as the parent writes, but not only related to SMS.
Edit: Above explanation is shortened. Of course there are always at least 2 hops: Sender to SMSC, SMSC recipient. I guess both hops are either confirmed or best effort. But it's been 28 years since my GSM training...
Other comments suggest that these have nothing to do with settings you find in the app. If so, then my best guess is that a setting in your app by the name "delivery report" is actually just mislabeling some other thing such as "read receipts"...
"...The core idea is that receiving an SMS inevitably generates Delivery Reports whose reception bestows a timing attack vector at the sender. We conducted experiments across various countries, operators, and devices to show that an attacker can deduce the location of an SMS recipient by analyzing timing measurements from typical receiver locations. Our results show that, after training an ML model, the SMS sender can accurately determine multiple locations of the recipient. For example, our model achieves up to 96% accuracy for locations across different countries, and 86% for two locations within Belgium. Due to the way cellular networks are designed, it is difficult to prevent Delivery Reports from being returned to the originator making it challenging to thwart this covert attack without making fundamental changes to the network architecture..."
> "Due to the way cellular networks are designed, it is difficult to prevent Delivery Reports from being returned to the originator making it challenging to thwart this covert attack without making fundamental changes to the network architecture..."
As a high volume SMS sender in a previous job, I can say this is pretty untrue. Plenty of carriers or intermediaries would block or spoof delivery reports.
I found that requesting delivery reports tended to increase actual delivery, but receiving a delivery report didn't provide any meaningful indication of receipt and lack of receiving a delivery report similarly didn't provide meaningful information.
Yes, exactly, I also have worked directly with network SMSC's (the service managing the SMS integration with the cellular network), and this is absolutely the case. Networks can and do both spoof, delay or refuse to send delivery reports, or will charge extra for them.
> Due to the way cellular networks are designed, it is difficult to prevent Delivery Reports from being returned to the originator making it challenging to thwart this covert attack without making fundamental changes to the network architecture
That would make it harder by increasing the noise, but the signal is still there.
Unless the receiving (target) phone knows the location of each of the senders, it won't be able to vary the delays in a way that perfectly cancels out the signal. The only hope is to raise the noise floor enough that it would take an impractical number of texts to find the phone's location, which should definitely be possible with random delays.
What the attack is measuring is basically the transmission delay to the device and back. The device (or the mobile network operator) doesn't know that delay, so they can't cancel it out. If you add a constant wait time you only accomplish something if the attacker doesn't know about that, otherwise they simply subtract that. And random variance just makes the measurement noisier, send enough SMS and the noise averages out.
If they have each delivery report randomly pick one of several ranges of potential delay (0-2seconds, 1-3, 2-4) and then pick a random amount within whichever range is selected, would it still be possible to average out the randomness to get an accurate location? Actually I'm not sure that's any better than just having one wide range that it picks randomly from, but it could expand that range for each message over the first 5 per hour or whatever to make it harder to spam enough to average out without getting to extremely delayed delivered notifications?
These aren't read receipts, they're delivery reports from the network (not your device) that you can't control. From the paper:
It works by leveraging SMS Delivery Reports, which are transmitted back to the sender when the network delivers the SMS to the recipient. The sender can request these reports, and there is no way for the recipient to prevent them.
So setup a gateway that redelivers SMS messages, preferably though some other protocol. The gateway of course sets up another possiblity for exploitation.
Just don't give your cell number to people. I use a virtual number for almost everything.
"I don't have a mobile phone and the law doesn't require me to have one"
Or have 1 cell phone line that you give out as your number, set it up with an app to auto-forward SMS to an e-mail address and calls your actual cell phone, and put that phone in a locked garage in the middle of Iowa.
A lot of sites have started requiring a non VOIP phone number. Have you noticed this uptick? I used to use my google voice number for everything but it gets rejected as "not a real number" about 2-3x a week
I don't use any services that validate phone numbers in any way. Why would I?
Whenever a website asks me for a phone number I just make up random digits. Have never run into problems. Credit card companies definitely don't care what phone number I give to merchants.
I had to validate a phone number just to order food at MULTIPLE restaurants in the bay area using the ordering interface at the QR code at the table. They did not have paper menus. An SMS confirmation was required just to place an order from sitting at the table. This wasn't even for payment, just for ordering.
The DMV also required a stupid SMS confirmation just to renew my car registration.
I use virtual numbers for pretty much everything, but yeah, welcome to 2023.
Additionally, we assume the attacker can collect measurements from locations of interest directly from the
victim when located at specific locations/areas of interest
(without revealing the attack) or deploy similar devices
and connections as the victim at these locations for data
collection
In the Preparation phase, the adversary repeatedly
sends multiple (silent) SMS, with Delivery Reports enabled, to the victim while observing their respective locations.
This is a cool paper, but hard to actually implement it
This is a well known technique. Law enforcement and mobile operators routinely use silent SMS to triangulate phone location. Smartphones now make it easier to capture a lot more than just location. We know of several groups that sell turnkey exploits/malware (to governments as well as other parties).
There is unfortunately no way to block silent SMSes without disabling the entire messaging service (this is by design).
This is another reason to only use SIM cards for data. VOIP seems to eliminate this possibility since the message is going to a server that a device must retrieve.
First the message goes to the server. Then it must wait for my client to pick it up which is not instantly. I cannot see how my location could be measured by picking up a message from a server.
VoIP is voice. It's a realtime low latency point to point protocol. There are options to use intermediate servers, but there's a ton of room for information to leak.
I didn't have time to read the whole doc. Did it say how many SMS Delivery Reports were needed to create the model? I saw this "We repeated the classification for every combination of locations in our dataset, with sample sizes varying from 100 to 500"
I think getting 100 messages from a (series of) unknown number(s) would be alarming, but after reading this, I now know that it's a sign that I need to ... get a new burner phone and increase the size of my security detail? :^)