Silent Monitoring of Communications Application Users' Behavior and Its Significance for Critical Infrastructure Protection
In December 2025, a practical proof of vulnerability in the communications applications WhatsApp and Signal was published, enabling silent monitoring of user behaviour based exclusively on knowledge of their phone number.
This does not involve breaking encryption or compromising accounts. It concerns the exploitation of characteristics of these applications' delivery mechanisms, which allow indirect analysis of user behaviour without their knowledge.
The vulnerability stems from the way applications confirm receipt of network packets. Receipt confirmation is sent before the application verifies whether a message or reaction to a message actually exists. In practice, this means that an attacker can send special reactions to non-existent messages, with the target device responding without any notification or trace being displayed to the user in the user interface.
By measuring the response time between sending a request and receiving confirmation, it is possible to monitor changes in device behaviour over the long term. These time characteristics differ significantly depending on whether the device is active or in standby mode, whether it is connected via Wi-Fi or mobile network, or whether the user is moving. With systematic measurement, it is possible to determine with a high degree of probability periods of activity, inactivity, sleep, movement, or complete device shutdown.
From a practical perspective, this is a form of behavioural profiling. It does not allow reading communication content, but it enables reconstruction of daily routines, habits, and availability of a specific person. Combined with high probing frequency, this mechanism also has secondary consequences in the form of increased battery consumption and mobile data usage, which can lead to reduced device availability in critical situations without the user immediately noticing.
From the perspective of critical infrastructure protection, it is important to emphasize that the threat does not concern the technical systems of the applications themselves, but the persons who design, operate, and manage critical infrastructure. Operational personnel of energy networks, transport, water management, telecommunications, healthcare, public administration, and defence represent legitimate targets of intelligence and hybrid activities.
Position of AKI
The Critical Infrastructure Association of the Slovak Republic considers the findings concerning silent behavioural monitoring of communications application users to be relevant from the perspective of critical infrastructure protection and its personnel. AKI SR warns that leaks of metadata and temporal characteristics of communication can have significant intelligence value, even in cases where the communication content itself is strongly encrypted.
Mass-used communications applications represent a technological and operational dependency that must be taken into account when assessing risks according to the NIS2 directive and related regulatory frameworks. Critical infrastructure protection cannot be limited exclusively to technical systems, but must also include protection of the availability, behaviour, and routines of key personnel.
AKI SR recommends that critical infrastructure operators take these types of threats into account within risk analyses, mobile device usage policies, and assessments of digital dependencies.
