This post is also available in: heעברית (Hebrew)

There is a newly discovered vulnerability in text messaging that might possibly let malicious actors trace users’ location, according to cybersecurity Ph.D. student Evangelos Bitsikas.

According to Techxplore, Bitsikas’ research group exposed the flaw after applying a machine-learning program to data collected from the SMS system used for texting in mobile phones since the early 1990s. “Just by knowing the phone number of the user victim, and having normal network access, you can locate that victim,” says Bitsikas, “Eventually this leads to tracking the user to different locations worldwide.”

Bitsikas explains that when a text is sent, the receiver’s phone responds automatically with a notification to the sender—a receipt of delivery. A hacker could then send multiple text messages to a user’s cellphone, and the timing of the automated delivery replies would enable the hacker to triangulate the receiver’s location whether or not the communications are encrypted.

Essentially, the timing of each automated delivery notification sent leaves a fingerprint of the user’s location, but Bitsikas claims he has found no evidence that the vulnerability is currently being exploited.

Nevertheless, this does not mean that malicious actors won’t make use of it in the future. Bitsikas explains that the procedure is complicated and might be difficult to scale since the attacker will need to have Android devices in multiple locations sending messages every hour and calculating the responses. Just the collection itself could take days or weeks.

Bitsikas is concerned that a powerful organization could exploit the flaw to locate government leaders, activists, CEOs and other important figures. “We are researchers with limited resources, and we are not experts in data science,” he explained. “What I’m afraid of is that advanced attackers—hacker groups, state-sponsored agencies, police, who of course have more resources—can achieve greater impact with this kind of attack.”

Before the research was published, its results were verified by GSMA, a global organization of more than 15,000 member experts that oversees the health and welfare of the mobile ecosystem. The conclusion was that closing the vulnerability would require an overhaul of the global SMS system, but GSMA plans to add countermeasures that will make the hack more difficult to achieve. Nevertheless, they cannot close the vulnerability completely since such networks unfortunately cannot be changed instantly everywhere.