Finding the Location of Telegram Users

Security researcher Ahmed Hassan has shown that spoofing the Android’s “People Nearby” feature allows him to pinpoint the physical location of Telegram users:

Using readily available software and a rooted Android device, he’s able to spoof the location his device reports to Telegram servers. By using just three different locations and measuring the corresponding distance reported by People Nearby, he is able to pinpoint a user’s precise location.

[…]

A proof-of-concept video the researcher sent to Telegram showed how he could discern the address of a People Nearby user when he used a free GPS spoofing app to make his phone report just three different locations. He then drew a circle around each of the three locations with a radius of the distance reported by Telegram. The user’s precise location was where all three intersected.

[…]

Fixing the problem—or at least making it much harder to exploit it—wouldn’t be hard from a technical perspective. Rounding locations to the nearest mile and adding some random bits generally suffices. When the Tinder app had a similar disclosure vulnerability, developers used this kind of technique to fix it.

Tags: , , ,

Posted on January 14, 2021 at 6:08 AM17 Comments

Comments

Peter A. January 14, 2021 7:32 AM

How accurate is the app’s distance report? And what’s the actual use of ‘your wife is 1.2345 miles away’? Oh, wait, the latter could be useful SOMETIMES…

cowsay January 14, 2021 7:48 AM

So, if I enable the Telegram “People Nearby” feature which will let to find my location, my location can be found. Wow. Okay.

But, why should I do that, what if I don’t?

“Security researcher” , “proof-of-concept” nice keywords but this is bullshit.

Boris January 14, 2021 9:28 AM

The only question is the purpose of the feature “People Nearby” is to quick contact exchange between people “in the same room”, and requires the user manually enable sharing his location.

So is it strange the person who want to be found can be found?

Here is the quote from Telegram feature announcement:
People Nearby 2.0
Last June, we added People Nearby for exchanging contact info face-to-face. With this update, People Nearby 2.0 can help you meet new friends, or arrange a last-minute date for Valentine’s Day.

Head over to Contacts > People Nearby to see adventurous Telegram users in the area. Tap Make Myself Visible to join them and display your profile to others around you. They will be able to find you and send you messages – even if you navigate away from the page or close the app.

If you decide you’re no longer in the mood for adventure, tap Stop Showing Me to re-engage your cloaking device.

https://telegram.org/blog/new-profiles-people-nearby#people-nearby-2-0

Clive Robinson January 14, 2021 9:43 AM

@ ALL,

From the article,

“He then drew a circle around each of the three locations with a radius of the distance reported by Telegram. The user’s precise location was where all three intersected.”

I actually doubt that.

Tracking by GPS from phones is known to have quite a few problems for a number of reasons.

However the mobile phone companies don’t talk about it nor do those who present location claims in court.

As others have found from the likes of mobile phone location data of cars etc for traffic census data, there are one heck of a lot of drivers not just out of theor lane, or up on the pavment but driving through buildings a hundred meters or more from the road to one side then they jump through buildings to other places.

Lets just say that the GPS location might be within a tenth of a mile unless it’s been stationary for some time and has a clear view of the sky out to +/- 70 degrees of verticle.

When doing the likes of surveys not only are the GPS receivers of a considerably higher quality, the measurments are averaged in a complex way based not just on the number of readings but from which satellites and where they were in their orbit. And that average is taken over as long a time period as possible.

TimH January 14, 2021 9:59 AM

Have just deleted Whatatsapp, installed Telegram and Signal since people I know use those. Given Signal access to contacts, but not Telegram. Maybe just paranoid…

Clive Robinson January 14, 2021 10:05 AM

@ TimH,

Given Signal access to contacts, but not Telegram. Maybe just paranoid…

Or not paranoid enough…

Jordan Brown January 14, 2021 11:44 AM

@Peter Hillier: No, it’s not triangulation. Triangulation relies on finding the bearing to the target. It’s a variation on hyperbolic navigation, where you have the range to the target, but not the bearing. (It’s hyperbolic navigation with synchronized clocks.)

Who? January 14, 2021 12:11 PM

@ Clive Robinson

GPS location is not required. Google has a detailed and mostly up to date list of access points that includes geolocation data thanks to its “street view” cars.

David Leppik January 14, 2021 1:06 PM

And this is why Android and iOS both have separate permissions for precise location and imprecise locations.

Unfortunately under Android, precise location permission is required to use Bluetooth, since Bluetooth beacons can be used to determine a user’s location.

FA January 14, 2021 2:46 PM

@Peter Hillier, @Jordan Brown,

It’s neither triangulation (which is based on directions) nor hyperbolic navigation (which is based on knowing the difference of the distances to known points).

In this case we have the distances directly, and plotting three circles gives a fix. Navigation by stars is similar. Given the time, you know at which point on earth a star is directly overhead. By measuring its elevation, you know your distance to that point.

David Rudling January 14, 2021 5:26 PM

@TimH

Maybe just paranoid…

As the old saying goes – just because you’re paranoid doesn’t mean they’re not out to get you.

Goat January 15, 2021 7:09 AM

@David, Clive, TimH, All

“Paranoia is an instinct or thought process which is believed to be heavily influenced by anxiety or fear, often to the point of delusion and irrationality.”

Though meaning of paranoia seems to be changing over time(it’s not unusual for words to change their meaning).

When we talk about digital rights our fear is not akin to the fear in paranoia(the dictionary one atleast) but rather far-sightedness to the implications of technology. It’s more like when something stupid is happening some laugh while others look to it sadly, knowing the implications. Eg.I have seen people rejoice on an aggresive fight between two people while I sit seriously wanting it to stop(or act if apt)

Clive Robinson January 15, 2021 9:25 AM

@ Goat, David, TimH, ALL,

The dictionary definition of paranoia rather depends on which dictionary you look in.

However you often find it’s claimed to be a “fear” that is “unreasond” or “irrational” or “Delusional”.

The point most people do not get is that those three words are “Perspective” words. What you regard as unreasoned I might not, this might just because I’ve better sources of information, or wider experience or even highly focused more relevant experience.

I hate to say it but the removal of certain voices from what most thought of as public communications networks was very predictable and you could see it comming months if not years ago[1].

The reason most are uptight about it is it’s their own perspective that was entirely wrong.

So it’s entirely possible for the adult half of an entire nation to be unreasoned, thus delusional and for some to behave irrationaly.

Does that mean the US is as a population paranoid?

No not quite there is the “fear” element to consider. Defining fear is difficult and you need to go to specialised medical dictionaries to see just what fear can encompass.

In essence it is a deliterious effect on the chemical status of the brain caused by a persons ability to look forward in time and perceive consequences of the actions they currently see around them.

The important point is “deleterious” two people can view the same causes entirely differently one as a threat of some kind another as an opportunity. The real difference is the neurological status that causes the chemical changes.

The problem with this is it is entirely possible to see the cause and effects and understand them and respond to them by action. Thus people will assume you are scared or in fear and say you are paranoid.

Well they can and actually are quite frequently wrong. If you can risk manage which is something few can actually do. Your actions are not taken in fear but in mitigation of risk.

The problem then moves to the depth of mitigation. As I keep pointing out there is the “Defence Spending” problem and risk managment is actually nearly all about defence. The problem is you never know if you’ve spent to much or even just enough, in fact most of the time you do not know if you’ve been spending way to little. You actually only find out when somebody decides for some reason to attack you.

So if you effectively spend more on defence than someone else they might think you are being paranoid, actually you might also be spending to little. Eventually one of you is going to get attacked before the other, such is the nature of probability. Depending on who gets attacked then one may laugh at the other… However that would be silly, both should reappraise their defence spending because there is a reasonable chance that the perception of the enemy has changed, thus so should spending priorities.

Thus the same applies to risk managment and back up the tree. Whilst there are some genuine cases of paranoia they are actually quite rare. In most cases when paranoia is called the real problem is in the head not of the person it’s directed at but in the head of the person calling it. So every time you think somebody is paranoid check your knowledge, understanding and thus petspectives are not at fault…

As for the US population, well a lot of them are in fear of the future, but it’s still not paranoia as such. Take a look at the social changes this century in the US and if you are not living in some fear of loosing your job or your life currently, I would suggest you might want to check your point of view…

[1] The problem is §230 of the Communications Decency Act. The perception is it means that there is no moderation required. That is it appears to most that it confers “common carrier” status onto web sites. When in fact it actually does no such thing. It explicitly says that it does not change the status of federal law… So when what looks like activities prohibited by federal law was brought to the site owners attention they actually had no choice but to flick the off switch. Otherwise you can be assured that the site owners would be quite happy not just for the activities to continue but to actually stir them up even more because that’s what brings the revenue through the door.

Goat January 15, 2021 9:50 AM

@Clive what concerns me most with the word paranoia is that it has become a cool thing to say. People call them paranoid(jokingly) while others stay away from their ideas thinking of them as paranoid.

Re:In most cases when paranoia is called the real problem is in the head not of the person it’s directed at but in the head of the person calling it.

Here infact the person calling it is often the person himself

Paranoia seems like a great entry for gnu words to avoid 😉

Winter January 15, 2021 11:52 AM

@Clive
“Paranoid”

There is Paranoid Schizophrenia, which is characterized by hallucinations (e.g., voices) and delusions. These hallucinations and delusions are generally quite pronounced. See “A beautiful mind”.

Paranoid can also be a symptom of psychosis. Again, a psychosis is not something that is very ambiguous or difficult to decide.

You are not paranoid when you think your neighbor throws trash in your garden. Your are paranoid when you think Arnold Schwarzenegger is forcing him to poison your tapwater.

In that sense, conspiracy theories come close. If you think the whole world conspires for centuries to convince you the world is round where it is actually flat, or 5G is designed to kill half of humanity, then we can start to question where we should put the boundary

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.