%0 Conference Paper %1 DBLP:conf/ndss/2021 %A Hagen, Christoph %A Weinert, Christian %A Sendner, Christoph %A Dmitrienko, Alexandra %A Schneider, Thomas %B Network and Distributed System Security Symposium (NDSS) %D 2021 %I The Internet Society %K %T All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers %U https://www.ndss-symposium.org/ndss-2021/ %X Contact discovery allows users of mobile messengers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods. Our study of three popular mobile messengers (WhatsApp, Signal, and Telegram) shows that, contrary to expectations, largescale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we have queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service. We present interesting (crossmessenger) usage statistics, which also reveal that very few users change the default privacy settings. Regarding mitigations, we propose novel techniques to significantly limit the feasibility of our crawling attacks, especially a new incremental contact discovery scheme that strictly improves over Signal’s current approach. Furthermore, we show that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal of mobile phone numbers. For this, we also propose a significantly improved rainbow table construction for non-uniformly distributed inputs that is of independent interest.

@inproceedings{DBLP:conf/ndss/2021, abstract = {Contact discovery allows users of mobile messengers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods. Our study of three popular mobile messengers (WhatsApp, Signal, and Telegram) shows that, contrary to expectations, largescale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we have queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service. We present interesting (crossmessenger) usage statistics, which also reveal that very few users change the default privacy settings. Regarding mitigations, we propose novel techniques to significantly limit the feasibility of our crawling attacks, especially a new incremental contact discovery scheme that strictly improves over Signal’s current approach. Furthermore, we show that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal of mobile phone numbers. For this, we also propose a significantly improved rainbow table construction for non-uniformly distributed inputs that is of independent interest.}, added-at = {2023-12-13T04:12:10.000+0100}, author = {Hagen, Christoph and Weinert, Christian and Sendner, Christoph and Dmitrienko, Alexandra and Schneider, Thomas}, authors = {Hagen, Christoph and Weinert, Christian and Sendner, Christoph and Dmitrienko, Alexandra and Schneider, Thomas}, biburl = {https://www.bibsonomy.org/bibtex/2c45d391a732b719cc30ec0f5c951ec44/admin}, booktitle = {Network and Distributed System Security Symposium (NDSS)}, interhash = {931c2ca03cdd0dd2e6fce3dc068c93bc}, intrahash = {c45d391a732b719cc30ec0f5c951ec44}, keywords = {}, publisher = {The Internet Society}, timestamp = {2023-12-13T04:12:10.000+0100}, title = {All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers }, url = {https://www.ndss-symposium.org/ndss-2021/}, venue = {NDSS}, year = 2021 }