Silent Signals: Exploiting Security and Privacy Side-Channels in End-to-End Encrypted Messengers

Presented at DEF CON 33 (2025), Aug. 10, 2025, 12:30 p.m. (45 minutes).

With billions of users worldwide, mobile messaging apps like WhatsApp and Signal have become critical for personal and professional communication. While these platforms promise security and privacy, our research uncovers two significant vulnerabilities that expose users to stealthy tracking and security degradation. First, we reveal how delivery receipts --commonly used to confirm message delivery-- can be exploited to track a user's online status, screen activity, and device usage without their knowledge. This technique enables passive surveillance, draining a target's battery and data allowance while remaining entirely invisible to them. Second, we demonstrate a novel attack on WhatsApp's implementation of the Signal Protocol, specifically targeting its Perfect Forward Secrecy (PFS) mechanism. By depleting a victim's stash of ephemeral encryption keys, an attacker can weaken message security, disrupt communication, and exploit flaws in the prekey refilling process. Both attacks require nothing more than the victim's phone number and leverage fundamental design choices in these widely used platforms. This talk will provide an in-depth analysis of these vulnerabilities, their implications, and potential mitigations -- challenging the security assumptions of modern encrypted messaging. References: - Careless Whisper: Exploiting End-to-End Leakage in Mobile Instant Messengers, Gabriel K. Gegenhuber, Maximilian Günther, Markus Maier, Aljosha Judmayer, Florian Holzbauer, Philipp É. Frenzel, Johanna Ullrich; [link](https://arxiv.org/abs/2411.11194) - Prekey Pogo: Investigating Security and Privacy Issues in WhatsApp's Handshake Mechanism, USENIX WOOT 2025, Gabriel K. Gegenhuber, Philipp É. Frenzel, Maximilian Günther, Aljosha Judmayer; [link](https://arxiv.org/abs/2504.07323)

Presenters:

• Gabriel Gegenhuber
  Gabriel is a PhD candidate at the University of Vienna, Austria. He received a bachelor's degree in Software & Information Engineering and a master's degree in Software Engineering & Internet Computing at the TU Wien. Gabriel is conducting research in the area of cellular and mobile networks. This includes Internet measurement technologies, traffic classification systems (e.g., deep packet inspection) and technical measures that are used to detect net neutrality and privacy violations. Furthermore, he's working on improving the MobileAtlas measurement platform for cellular networks.
• Maximilian Günther
  Max Guenther is master student at University of Vienna. He is a cybersecurity nerd and part-time full stack engineer at Intigriti. Previously, he was security analyst at Austrian Power Grid and security researcher at the Austrian Armed Forces.

Similar Presentations:

• ShmooCon X (2014) / Malicious Threats, Vulnerabilities, and Defenses in WhatsApp and Mobile Instant Messaging Platforms
• 33C3 (2016) / A look into the Mobile Messaging Black Box: A gentle introduction to mobile messaging and subsequent analysis of the Threema protocol.
• Black Hat USA 2019 / Messaging Layer Security: Towards a New Era of Secure Group Messaging