The Silent Stalker in Your Pocket
You think your phone is asleep. It's face-down on the desk, screen dark. But across the city, or maybe across the world, someone—or something—just confirmed it. They know your device is active, connected, and ripe for interaction. No notification popped up. No message was sent. No permission was asked. This isn't speculative fiction; it's the reality demonstrated by a clever, and frankly unsettling, open-source proof-of-concept (PoC) dubbed "Careless Whisper." In 2025, this research shows how the very apps we trust for privacy, like WhatsApp and Signal, can be turned into silent tracking beacons.
The core idea is deceptively simple: exploit a fundamental, background communication feature to infer a device's state. It turns your phone into a digital canary, chirping its status without making a sound you can hear. For security professionals and privacy-conscious users, this PoC isn't just a neat hack—it's a stark reminder that our attack surface is often defined by the features we take for granted.
Decoding "Careless Whisper": It’s All About the Receipts
Let's cut through the jargon. How does this actually work? The PoC, detailed in a 2024 arXiv paper that's gained significant traction in 2025, targets a mundane mechanism: delivery receipts. You know, those tiny, automatic confirmations that a message was delivered to a device. WhatsApp and Signal use them to show those double checkmarks.
The attack, however, doesn't send a normal message. That would tip off the target. Instead, it uses an unofficial API (like those powering many third-party WhatsApp tools) to send a "probe." This probe is a reaction—think an emoji reply—to a special or invalid message ID. Here's the kicker: the target's app receives this nonsense probe, can't process it meaningfully, but the protocol often still triggers a silent delivery receipt back to the sender. No notification. No trace in the chat log. Just a tiny packet of data saying, "I'm here."
By measuring the time it takes for this receipt to come back (the round-trip time), the attacker can infer the device's state. An immediate receipt? Phone is awake, screen likely on. A delayed receipt? Phone might be in a doze state, or the screen is off. No receipt at all after repeated tries? The device is probably offline or in airplane mode. It's a classic side-channel attack—gleaning information from the timing and existence
Why Signal and WhatsApp? The Privacy Paradox
This hits a nerve because we hold these apps to a higher standard. Signal is the gold standard for private communication, with end-to-end encryption (E2EE) at its core. WhatsApp, used by billions, also boasts E2EE. We trust them because they promise our conversations are secure. But this attack has nothing to do with reading your messages. It bypasses the encryption entirely.
It targets the metadata and protocol mechanics—the scaffolding around the encrypted content. Who you talk to, when you're active, and now, your device's real-time status. This is the privacy paradox of modern secure messengers: they armor the letter inside the envelope but leave the postmark, the envelope size, and the delivery confirmation slip in plain sight. The PoC proves that even these minimal, operational signals can be weaponized for surveillance.
And it's not just theoretical. In the original r/netsec discussion, several users pointed out scary real-world parallels. One mentioned how similar timing attacks could theoretically map a person's sleep schedule or work patterns. Another raised the point about targeted harassment—knowing exactly when someone's device becomes active. The concern isn't about a single data point; it's about the persistent, invisible logging of presence over time.
The Technical Deep Dive: Probes, APIs, and Silent Pings
For the tech-savvy reader wondering about the nuts and bolts, let's get specific. The PoC likely leverages libraries like whatsapp-web.js or similar unofficial APIs that reverse-engineer the WhatsApp Web protocol. These tools allow automation by mimicking a web client. The attacker script would:
- Initialize a session using such an API.
- For a target phone number, craft a probe reaction to a deliberately invalid message ID (e.g., a random string formatted like a real message ID).
- Send the probe and start a high-resolution timer.
- Listen for the corresponding delivery receipt. The API session captures this receipt silently.
- Analyze the latency. Sub-100ms might indicate an active, foreground app. Several seconds suggests a background fetch or delayed sync. Timeout equals offline.
The genius—and the horror—is in its simplicity and reliability. It uses the app's own essential reliability features against it. The system is designed to confirm delivery; it can't easily distinguish between a confirmation for a real message and one for this malicious probe without breaking functionality for legitimate use cases. Patching this is non-trivial because it touches the core delivery assurance logic.
Beyond Theory: Real-World Implications and Risks
Okay, so someone can tell if my phone is on. Why should I care? This feels like a low-grade threat. But context is everything. In isolation, a single "device active" signal is meaningless. As part of a persistent monitoring campaign, it becomes powerful intelligence.
Imagine a stalker or abusive ex-partner building a log of your daily activity patterns without you ever knowing. They could learn when you wake up, when you go to sleep, when you're likely driving (phone offline), or when you're intently using your device. For journalists or activists in hostile regions, this pattern-of-life data could reveal safe-house routines or meeting times, compromising physical security.
In a corporate espionage scenario, an attacker might monitor the phone activity of a key executive. Sudden late-night activity could signal a crisis or a major deal in progress, giving competitors an edge. The original discussion also raised a point about denial-of-service (DoS) by battery drain. While the probes are tiny, a constant stream of them could theoretically prevent a phone from entering deep sleep, slowly killing its battery—a harassment tactic that's hard to trace.
This isn't about reading your texts. It's about painting a vivid behavioral portrait from the faintest of digital brushstrokes.
Building Your Own Detection: A Practical Guide
You're probably wondering: can I test if this is happening to me? Directly detecting a single probe is incredibly difficult because it leaves no local log. However, you can look for indirect signs and set up monitoring. This is where automation and data collection become crucial.
One approach is to monitor your network traffic. Tools like Wireshark on a computer, or a firewall app like NetGuard on a rooted Android, can show all connections your phone makes. You'd be looking for repeated, small, outbound packets to WhatsApp/Signal servers that don't correlate with your own sending activity. The problem? This generates massive logs and requires significant expertise to parse.
A more accessible method for developers is to use automation platforms to simulate the attack against your own number (in a controlled, ethical test) to understand the signature. For instance, you could use a platform like to run a scheduled script that mimics the probing behavior and logs the results, helping you characterize the network traffic pattern you'd need to watch for. Their infrastructure can handle the proxy rotation and headless browser sessions needed to interact with unofficial APIs reliably. If scripting isn't your forte, you can hire a freelance developer on Fiverr[/AFFILIATE] to set up a simple monitoring script for you.
Remember: testing this against anyone without their explicit permission is unethical and likely illegal. Use your own devices and numbers only.
Defensive Measures: What Can You Actually Do?
So, how do you shut this down? The bad news is that as an end-user, your options are limited because the vulnerability is in the protocol design. The good news is there are mitigations.
1. Disable Delivery Receipts: This is the nuclear option. In WhatsApp: Settings > Privacy > turn off "Read Receipts" (note: this disables seeing receipts from others too). In Signal: Settings > Privacy > turn off "Read Receipts." This might affect delivery receipt behavior, but it's not guaranteed to stop the specific probe attack, as delivery confirmations are a lower-level protocol feature.
2. Use a Firewall: Advanced users can employ firewall apps (e.g., AFWall+ on rooted Android, or Little Snitch on macOS for linked desktop clients) to block WhatsApp/Signal connections entirely except when you're actively using the app. This is disruptive but effective.
3. Limit Background Data: On Android and iOS, you can restrict background data for these apps. This might delay or prevent the app from processing probes when it's not in the foreground, making your status appear as "offline" more often, but it will also delay real messages.
4. The Ultimate Mitigation: Be aware that online presence is a leak. Treat "being online" on any messaging app with the same discretion you'd treat your physical location. The most robust defense is behavioral: understanding that even your "idle" state is a piece of data.
Common Misconceptions and FAQs
Let's clear up some confusion from the original discussion and beyond.
Q: Does this let someone read my messages?
A: No. Not at all. This is a metadata/side-channel attack. The encryption remains intact.
Q: Is Signal just as vulnerable as WhatsApp?
A: The PoC demonstrated the technique on WhatsApp, but the underlying principle applies to any messaging app that uses asynchronous delivery confirmations, including Signal. The specific implementation and latency thresholds may differ.
Q: Can the app developers fix this?
A: They can make it harder. They could rate-limit receipts, add randomness (jitter) to response times, or require more validation before sending a receipt. But completely eliminating the side-channel without breaking reliable message delivery is a huge challenge. It's a design-level trade-off.
Q: Do I need to be in the attacker's contacts?
A: For WhatsApp, likely yes, as you can't normally message unknown numbers. For Signal, where you can message anyone, the barrier is lower. This makes the attack more plausible against public figures or anyone whose number is known.
Q: Is this being used in the wild?
A: There's no public evidence of widespread exploitation yet. But the PoC's publication in 2024 means the technique is now in the wild. It's a tool in the toolbox, and we must assume sophisticated actors could be using it.
The Bigger Picture: A Call for Protocol-Level Privacy
The "Careless Whisper" PoC is a wake-up call, not an apocalypse. It highlights a critical, often overlooked frontier in digital privacy: protocol metadata. We've spent years fortifying data encryption, but we've left the operational signals of our software exposed.
For developers and companies like Meta and Signal Foundation, the challenge is to innovate privacy beyond the message body. Can delivery assurances be designed without revealing precise timing? Can we have reliable messaging that doesn't also broadcast device state? Research into private messaging systems with minimal metadata, like the Signal Protocol's Sealed Sender, is a step in the right direction, but this PoC shows the road is long.
For you, the user, the takeaway is about informed vigilance. Understand that privacy is a spectrum and a constant trade-off. Using Signal over SMS is a massive win. But no tool is a magic shield. Stay curious, read the research, adjust your settings, and most importantly, advocate for better design. The conversation on r/netsec wasn't just about a cool hack—it was a community sounding the alarm on a subtle but significant threat. In 2025, that conversation needs to move from security forums to the mainstream, pushing for a future where our apps don't whisper about us, even carelessly.
