End-to-end encryption protects your message content, but what about the data your device leaks just by receiving messages? A newly released tool demonstrates how attackers can track billions of WhatsApp and Signal users using nothing more than their phone number.
The Silent Whisper Vulnerability
Security researchers have publicly released a proof-of-concept tool that exploits a fundamental weakness in how messaging protocols handle delivery receipts. Dubbed "Silent Whisper," this vulnerability allows anyone to:
- Track when you're awake or asleep
- Determine if you're home (on WiFi) or traveling (mobile data)
- Know whether you're actively using your phone
- Drain your battery and data without your knowledge
The attack requires only your phone number — no malware installation, no physical access, and no visible notifications on your device.
How the Attack Works
Modern messaging apps send automatic delivery receipts to confirm message reception. The Silent Whisper attack exploits this by sending "reaction" messages to non-existent message IDs. Your phone responds automatically — before validating whether the message exists — revealing critical information through the round-trip time (RTT).
Attacker Target Device
│ │
│── Fake reaction to msg ID ────────►│
│ │ (Auto-ACK before validation)
│◄──────────── Delivery receipt ─────│
│ │
└── Measures RTT: 45ms ──────────────┘
(Fast = WiFi, screen on)
The RTT varies predictably based on your device state:
| RTT Response | Device Status |
|---|---|
| Very low (~50ms) | Active use, screen on, WiFi connected |
| Low-medium | Active use, screen on, mobile data |
| High | Standby mode (screen off), WiFi |
| Very high | Standby on mobile data or poor reception |
| Timeout | Device offline or airplane mode |
| Highly variable | Device is moving |
What Attackers Can Learn
By continuously probing your device — up to 20 pings per second — attackers can build a detailed behavioral profile:
- Daily routines: When you wake up, when you go to sleep
- Location patterns: When you're home (stable WiFi), at work, or traveling
- Work habits: Your active hours and break patterns
- Device type: Inconsistencies in RTT can fingerprint your phone model and OS
- Geographic region: Using multiple probe points can triangulate approximate location
"Over time, you can use this to infer behavior: when someone is probably at home (stable Wi-Fi RTT), when they're likely sleeping (long standby/offline stretches), when they're out and moving around." — Security researcher "gommzystudio"
The Hidden Cost: Battery and Data Drain
Beyond surveillance, this attack has physical consequences. During testing:
| Device | Battery Drain per Hour |
|---|---|
| iPhone 13 Pro | 14% |
| iPhone 11 | 18% |
| Samsung Galaxy S21 | 11% |
Normal idle consumption is less than 1% per hour. Victims may notice their battery draining rapidly or mobile data usage spiking — but they'll see no notifications, no messages, nothing in the UI to explain why.
Why End-to-End Encryption Isn't Enough
This vulnerability highlights a critical blind spot in messaging security: content encryption doesn't protect metadata.
Your messages may be unreadable in transit, but the act of receiving them — the timing, frequency, and network conditions — creates a data trail that reveals your life patterns.
Traditional security models focus on:
- ✅ Encrypting message content
- ❌ Protecting protocol-level metadata
- ❌ Preventing side-channel analysis
- ❌ Limiting automatic device responses
This is why comprehensive security requires thinking beyond encryption keys to consider the entire attack surface — including seemingly innocent protocol behaviors.
How to Protect Yourself
For WhatsApp Users
- Enable message filtering: Go to Settings → Privacy → Advanced → Enable "Block unknown account messages"
- Limit status visibility: Disable "Last Seen" and "Online" status
- Restrict profile access: Limit who can see your profile photo and about info
For Signal Users
- Disable read receipts: Settings → Privacy → Read Receipts → Off
- Turn off typing indicators: Settings → Privacy → Typing Indicators → Off
- Use registration lock: Adds additional protection to your account
General Recommendations
- Be cautious with unknown contacts: The attack requires knowing your number but not being blocked
- Monitor unusual battery drain: Rapid battery loss could indicate you're being probed
- Check data usage: Unexplained spikes in mobile data may signal an attack
- Keep apps updated: Both platforms may implement mitigations
The Bigger Picture
As of December 2025, this vulnerability remains exploitable in both WhatsApp (affecting 3+ billion users) and Signal. While Signal's rate limiting reduces the battery drain attack to ~1% per hour, the tracking capability persists.
This serves as a reminder that true privacy requires defense in depth:
- Content encryption — protects what you say
- Metadata protection — protects the patterns of communication
- Protocol hardening — limits what devices reveal automatically
- User awareness — understanding the risks beyond encrypted content
The Silent Whisper vulnerability demonstrates that even applications with strong encryption reputations can leak sensitive behavioral data through protocol-level side channels.
Key Takeaways
- Phone number = Tracking capability: Anyone with your number can potentially monitor your activity patterns
- End-to-end encryption has limits: It protects content, not metadata or protocol behaviors
- Side-channel attacks are real: Timing analysis can reveal more than direct data access
- Defense requires multiple layers: No single security measure is sufficient
For organizations handling sensitive communications, this underscores the importance of evaluating security holistically — not just whether messages are encrypted, but what information leaks through protocol design, timing analysis, and device behaviors.
Stay informed about emerging security threats and encryption best practices. Contact us to learn how CIFER approaches comprehensive data protection beyond traditional encryption.