Short Message Service (SMS) remains one of the most popular communication channels since its introduction in 2G cellular networks. In this paper, we demonstrate that merely receiving silent SMS messages regularly opens a stealthy side-channel that allows other regular network users to infer the whereabouts of the SMS recipient. The core idea is that receiving an SMS inevitably generates Delivery Reports whose reception bestows a timing attack vector at the sender. We conducted experiments across various countries, operators, and devices to show that an attacker can deduce the location of an SMS recipient by analyzing timing measurements from typical receiver locations. Our results show that, after training an ML model, the SMS sender can accurately determine multiple locations of the recipient. For example, our model achieves up to 96% accuracy for locations across different countries, and 86% for two locations within Belgium. Due to the way cellular networks are designed, it is difficult to prevent Delivery Reports from being returned to the originator making it challenging to thwart this covert attack without making fundamental changes to the network architecture.

翻译：短消息服务（SMS）自2G蜂窝网络引入以来，仍是最受欢迎的通信渠道之一。本文证明，仅需定期接收静默短信，便会在常规网络用户间开辟一条隐蔽侧信道，使其能够推断短信接收者的行踪。核心思路在于，接收短信必然产生递送报告，而该报告为发送方提供了时序攻击向量。我们在多个国家、运营商及设备上开展实验，表明攻击者可通过分析典型接收位置上的时序测量结果，推断短信接收者的位置。结果显示，在训练机器学习模型后，短信发送方能准确判定接收者的多个位置。例如，针对不同国家间的位置，模型准确率高达96%；针对比利时境内的两个位置，准确率达86%。由于蜂窝网络设计机制，递送报告难以被阻止返回至原始发送方，这使得若不从根本上修改网络架构，便难以挫败这种隐蔽攻击。