All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers
From https://encrypto.de/papers/HWSDS21.pdf
Abstract— Contact discovery allows users of mobile messen-gers to conveniently connect with people in their address book.In this work, we demonstrate that severe privacy issues exist incurrently deployed contact discovery methods.Our study of three popular mobile messengers (WhatsApp,Signal, and Telegram) shows that, contrary to expectations, large-scale crawling attacks are (still) possible. Using an accuratedatabase of mobile phone number prefixes and very few resources,we have queried 10 % of US mobile phone numbers for WhatsAppand 100 % for Signal. For Telegram we find that its API exposesa wide range of sensitive information, even about numbersnot registered with the service. We present interesting (cross-messenger) usage statistics, which also reveal that very few userschange the default privacy settings. Regarding mitigations, wepropose novel techniques to significantly limit the feasibility of ourcrawling attacks, especially a new incremental contact discoveryscheme that strictly improves over Signal’s current approach.Furthermore, we show that currently deployed hashing-basedcontact discovery protocols are severely broken by comparingthree methods for efficient hash reversal of mobile phone numbers.For this, we also propose a significantly improved rainbowtable construction for non-uniformly distributed inputs that isof independent interest.
