Short Message Service (SMS) remains one of the most popular communication channels since its introduction in 2G cellular networks. In this paper, we demonstrate that merely receiving silent SMS messages regularly opens a stealthy side-channel that allows other regular network users to infer the whereabouts of the SMS recipient. The core idea is that receiving an SMS inevitably generates Delivery Reports whose reception bestows a timing attack vector at the sender. We conducted experiments across various countries, operators, and devices to show that an attacker can deduce the location of an SMS recipient by analyzing timing measurements from typical receiver locations. Our results show that, after training an ML model, the SMS sender can accurately determine multiple locations of the recipient. For example, our model achieves up to 96% accuracy for locations across different countries, and 86% for two locations within Belgium. Due to the way cellular networks are designed, it is difficult to prevent Delivery Reports from being returned to the originator making it challenging to thwart this covert attack without making fundamental changes to the network architecture.

翻译：短消息服务（SMS）自2G蜂窝网络引入以来，一直是使用最广泛的通信渠道之一。本文证明，仅需定期接收静默短信即可开启一个隐蔽的侧信道，使得其他普通网络用户能够推断出SMS接收者的所在位置。其核心思想在于，接收SMS必然会生成投递报告，而发送方通过接收这些报告便能获得一个定时攻击向量。我们在多个国家、运营商和设备上进行了实验，表明攻击者可以通过分析来自典型接收位置的时序测量数据来推断SMS接收者的位置。结果表明，在训练机器学习模型后，短信发送方可准确确定接收者的多个位置。例如，对于不同国家的位置，我们的模型准确率高达96%；对于比利时境内的两个位置，准确率达到86%。由于蜂窝网络的固有设计机制，很难阻止投递报告返回给发起方，这使得在不从根本上更改网络架构的情况下挫败这一隐蔽攻击变得极具挑战性。