How Side-Channel Analysis Exposes User Metadata in E2EE Messengers

TLDR: Researchers at DEF CON 2025 demonstrated that multi-device synchronization in WhatsApp and Signal creates exploitable side-channels that leak user online status and device information. By manipulating delivery receipts and prekey management, an attacker can track a target's daily routine or perform resource exhaustion attacks. These findings highlight that even hardened, end-to-end encrypted protocols remain vulnerable to metadata leakage when implemented across multiple companion devices.

End-to-end encryption is often treated as a silver bullet for privacy, but the complexity of modern multi-device support introduces significant attack surfaces that are frequently overlooked. When a user links a desktop client or a web browser to their primary mobile device, the underlying protocol must synchronize keys and state across these endpoints. This synchronization process is not just a functional requirement; it is a metadata goldmine. The recent research presented at DEF CON 2025 on "Silent Signals" proves that these synchronization mechanisms create predictable side-channels that allow an attacker to monitor a target's activity with high precision.

The Mechanics of the Side-Channel

The core of this research lies in how messengers handle delivery receipts and prekey bundles. In a multi-device setup, each device maintains its own set of encryption keys. When a message is sent, the client must perform a "client fanout," encrypting the message individually for every registered device of the recipient. This architecture is necessary for security, but it creates a distinct timing signature.

By observing the latency of delivery receipts, an attacker can determine the state of a target's device. The researchers found that the round-trip time (RTT) for these receipts varies significantly depending on whether the target device is in standby mode, active, or if the messaging application is currently in the foreground.

To exploit this, an attacker can use tools like whatsmeow or signal-cli to send "silent" messages—specifically, reactions or edited messages that do not trigger a visible notification on the target's screen but still generate a delivery receipt at the protocol level. By repeatedly probing the target, an attacker can build a high-resolution timeline of when a user is active, which device they are using, and even their approximate physical location based on network connectivity patterns.

Prekey Depletion and Denial of Service

Beyond simple tracking, the researchers identified a more aggressive attack vector targeting the prekey management system. WhatsApp uses a bundle of keys—Identity Key, Signed Prekey, and One-Time Prekey—to establish new conversations and ensure Perfect Forward Secrecy.

The vulnerability exists because the server must synchronize these prekey requests. If an attacker floods the server with requests for a specific target's one-time prekeys, they can force the target's device to constantly generate and upload new bundles. If the attacker is fast enough, they can deplete the available prekeys on the server entirely.

When the server runs out of prekeys for a target, it returns a 503 Service Unavailable error to any legitimate user attempting to initiate a conversation with that target. This effectively silences the victim. The attacker remains invisible because they are interacting solely with the server, not the victim's device. This is a classic Denial of Service attack that requires no interaction from the victim and leaves no trace in the victim's chat history.

Practical Implications for Pentesters

For those conducting red team engagements or bug bounty research, this technique is highly effective for reconnaissance. If you are tasked with identifying the specific hardware or software environment of a target, you no longer need to rely on social engineering or malware. By analyzing the RTT patterns of delivery receipts, you can fingerprint whether the target is using an iPhone, an Android device, or a specific desktop browser.

During an assessment, you can use these side-channels to map out a target's "availability window." If you are planning a more complex exploit chain that requires the target to be online or to have a specific device unlocked, this metadata allows you to time your actions perfectly. The impact is not just theoretical; it is a direct violation of the privacy guarantees that users expect from E2EE platforms.

Mitigating the Metadata Leak

Defending against these attacks is difficult because they exploit the fundamental design of multi-device synchronization. However, the researchers suggest that platforms could significantly reduce the risk by implementing stricter rate-limiting on prekey requests and randomizing the timing of delivery receipts.

For developers and security architects, the primary takeaway is that client-side message validation is more critical than ever. Since the server cannot inspect the content of E2EE messages, it cannot easily distinguish between a legitimate reaction and a malicious, malformed message designed to trigger a side-channel. Implementing robust, client-side checks to ignore or rate-limit suspicious message types is a necessary step to harden these protocols against metadata-based attacks.

Privacy is not just about the content of the message; it is about the patterns of communication. As we continue to push for more interconnected devices, we must ensure that the protocols governing these connections do not inadvertently turn our privacy tools into tracking devices. If you are working with messaging protocols, start by auditing how your application handles multi-device state and whether your receipt logic is leaking information about the underlying device state. The next time you see a double blue checkmark, remember that it might be telling you more than just whether the message was read.