好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。用户的要求很明确,不需要用“文章内容总结”这样的开头,直接写描述即可。 首先,我得通读整篇文章,抓住主要内容。文章讲的是通过WhatsApp发送小探测反应来追踪手机的活动状态,比如屏幕开/关、离线等。这种方法不需要通知或显示消息,受害者完全不知道。 然后,作者解释了工作原理:使用WhatsApp的非官方API发送探测反应到特殊或无效的消息ID。WhatsApp会返回静默的送达回执,通过测量回执的往返时间(RTT)来推断设备状态。比如低RTT可能意味着屏幕开着且在Wi-Fi下,高RTT可能意味着屏幕关闭或处于待机状态。 接下来,文章提到这种方法同样适用于Signal,并且理论上可以通过网络流量检测到这种异常的探测模式。受害者可能会消耗更多的移动数据和电池电量。长期来看,可以推断出用户的活动模式,比如何时在家、睡觉或外出。 最后,作者提供了一个快速修复的方法:在WhatsApp和Signal的隐私设置中限制未知号码发送消息。同时,他还开源了自己的实现,并引用了原始论文。 现在我需要把这些信息浓缩到100字以内。重点包括:通过WhatsApp发送探测反应追踪设备活动状态、无需通知、测量RTT推断屏幕和网络状态、长期可推断用户行为、修复方法和开源项目。 所以总结的时候要涵盖这些关键点:方法、技术手段、效果、影响和解决方案。 </think> 通过 WhatsApp 发送小探测反应追踪手机活动状态(如屏幕开/关、离线),无需通知或显示消息。利用往返时间(RTT)推断设备状态:低 RTT 表示屏幕开启且在 Wi-Fi 下,高 RTT 表示屏幕关闭或待机等。长期可推断用户行为模式(如在家、睡觉或外出)。修复方法:限制未知号码发送消息。 2025-12-7 16:33:23 Author: www.reddit.com(查看原文) 阅读量:0 收藏
I’ve been playing with the “Careless Whisper” side-channel idea and hacked together a small PoC that shows how you can track a phone’s device activity state (screen on/off, offline) via WhatsApp – without any notifications or visible messages on the victim’s side.
How it works (very roughly):
- uses WhatsApp via an unofficial API
- sends tiny “probe” reactions to special/invalid message IDs
- WhatsApp still sends back silent delivery receipts
- I just measure the round-trip time (RTT) of those receipts
From that, you start seeing patterns like:
- low RTT ≈ screen on / active, usually on Wi-Fi
- a bit higher RTT ≈ screen on / active, on mobile data
- high RTT ≈ screen off / standby on Wi-Fi
- very high RTT ≈ screen off / standby on mobile data / bad reception
- timeouts / repeated failures ≈ offline (airplane mode, no network, etc.)
*depends on device
The target never sees any message, notification or reaction. The same class of leak exists for Signal as well (per the original paper).
In theory you’d still see this in raw network traffic (weird, regular probe pattern), and on the victim side it will slowly burn through a bit more mobile data and battery than “normal” idle usage.
Over time you can use this to infer behavior:
- when someone is probably at home (stable Wi-Fi RTT)
- when they’re likely sleeping (long standby/offline stretches)
- when they’re out and moving around (mobile data RTT patterns)
So in theory you can slowly build a profile of when a person is home, asleep, or out — and this kind of tracking could already be happening without people realizing it.
Quick “hotfix” for normal users:
Go into the privacy settings of WhatsApp and Signal and turn off / restrict that unknown numbers can message you (e.g. WhatsApp: Settings → Privacy → Advanced). The attack basically requires that someone can send stuff to your number at all – limiting that already kills a big chunk of the risk.
My open-source implementation (research / educational use only): https://github.com/gommzystudio/device-activity-tracker
Original Paper:
https://arxiv.org/abs/2411.11194
如有侵权请联系:admin#unsafe.sh