Silent Monitoring of Communications Application Users' Behavior and Its Significance for Critical Infrastructure Protection

19. decembra 2025

In December 2025, a practical proof of vulnerability in the communications applications WhatsApp and Signal was published, enabling silent monitoring of user behaviour based exclusively on knowledge of their phone number. 

This does not involve breaking encryption or compromising accounts. It concerns the exploitation of characteristics of these applications' delivery mechanisms, which allow indirect analysis of user behaviour without their knowledge.

The vulnerability stems from the way applications confirm receipt of network packets. Receipt confirmation is sent before the application verifies whether a message or reaction to a message actually exists. In practice, this means that an attacker can send special reactions to non-existent messages, with the target device responding without any notification or trace being displayed to the user in the user interface.

By measuring the response time between sending a request and receiving confirmation, it is possible to monitor changes in device behaviour over the long term. These time characteristics differ significantly depending on whether the device is active or in standby mode, whether it is connected via Wi-Fi or mobile network, or whether the user is moving. With systematic measurement, it is possible to determine with a high degree of probability periods of activity, inactivity, sleep, movement, or complete device shutdown.

From a practical perspective, this is a form of behavioural profiling. It does not allow reading communication content, but it enables reconstruction of daily routines, habits, and availability of a specific person. Combined with high probing frequency, this mechanism also has secondary consequences in the form of increased battery consumption and mobile data usage, which can lead to reduced device availability in critical situations without the user immediately noticing.

From the perspective of critical infrastructure protection, it is important to emphasize that the threat does not concern the technical systems of the applications themselves, but the persons who design, operate, and manage critical infrastructure. Operational personnel of energy networks, transport, water management, telecommunications, healthcare, public administration, and defence represent legitimate targets of intelligence and hybrid activities.

Position of AKI

The Critical Infrastructure Association of the Slovak Republic considers the findings concerning silent behavioural monitoring of communications application users to be relevant from the perspective of critical infrastructure protection and its personnel. AKI SR warns that leaks of metadata and temporal characteristics of communication can have significant intelligence value, even in cases where the communication content itself is strongly encrypted.

Mass-used communications applications represent a technological and operational dependency that must be taken into account when assessing risks according to the NIS2 directive and related regulatory frameworks. Critical infrastructure protection cannot be limited exclusively to technical systems, but must also include protection of the availability, behaviour, and routines of key personnel.

AKI SR recommends that critical infrastructure operators take these types of threats into account within risk analyses, mobile device usage policies, and assessments of digital dependencies.

The Critical Infrastructure Association of the Slovak Republic Enters into Strategic Partnership with India in Quantum Technologies and Critical Infrastructure Protection

25. júna 2026
The Slovak Republic and the Republic of India are expanding cooperation in the field of digital security and advanced cryptographic technologies. On the occasion of the visit of the Prime Minister of the Republic of India, Narendra Modi, to Slovakia, the Critical Infrastructure Association of the Slovak Republic (AKI SR) and the Indian government organization Centre for Development of Telematics (C-DOT) signed a Memorandum of Understanding, which establishes a foundation for the joint development and implementation of quantum-safe technologies and the protection of critical infrastructure.

Asociácia kritickej infraštruktúry SR uzatvorila strategické partnerstvo s Indiou v oblasti kvantových technológií a ochrany kritickej infraštruktúry

25. júna 2026
Slovenská republika a Indická republika rozširujú spoluprácu v oblasti digitálnej bezpečnosti a pokročilých kryptografických technológií. Asociácia kritickej infraštruktúry Slovenskej republiky (AKI SR) a indická vládna organizácia Centre for Development of Telematics (C-DOT) podpísali pri príležitosti návštevy predsedu vlády Indickej republiky Narendru Modiho na Slovensku Memorandum o porozumení, ktoré vytvára základ pre spoločný vývoj a implementáciu kvantovo bezpečných technológií a ochranu kritickej infraštruktúry.

Statement by the Critical Infrastructure Association of the Slovak Republic on the Railway Communications Outage in Germany

24. júna 2026
The recent disruption to rail operations in Germany, which was related to a problem in the GSM-R communication system, is an important warning for the whole of Europe. It shows that the security and continuity of critical infrastructure today does not depend only on physical assets, tracks, stations, vehicles, or technical equipment. Equally important are communication, data, control, and information systems, without which safe and reliable operations cannot be ensured.

Stanovisko Asociácie kritickej infraštruktúry Slovenskej republiky k výpadku železničnej komunikácie v Nemecku

24. júna 2026
Nedávny výpadok železničnej prevádzky v Nemecku, ktorý súvisel s problémom v komunikačnom systéme GSM-R, je dôležitým upozornením pre celú Európu. Ukazuje, že bezpečnosť a kontinuita kritickej infraštruktúry dnes nezávisí iba od fyzických objektov, tratí, staníc, vozidiel alebo technických zariadení. Rovnako dôležité sú komunikačné, dátové, riadiace a informačné systémy, bez ktorých nie je možné zabezpečiť bezpečnú a spoľahlivú prevádzku.

The Ministry of Economy of the Slovak Republic and the Critical Infrastructure Association of the Slovak Republic Signed a Memorandum of Cooperation

22. júna 2026
The Ministry of Economy of the Slovak Republic and the Critical Infrastructure Association of the Slovak Republic signed a Memorandum of Cooperation on Monday, 22 June 2026, with the aim of strengthening cooperation in the field of resilience of the critical infrastructure of the Slovak Republic and ensuring the continuity of the provision of essential services.

Ministerstvo hospodárstva Slovenskej republiky a Asociácia kritickej infraštruktúry Slovenskej republiky podpísali Memorandum o spolupráci

22. júna 2026
Ministerstvo hospodárstva Slovenskej republiky a Asociácia kritickej infraštruktúry Slovenskej republiky podpísali v pondelok 22. júna 2026 Memorandum o spolupráci, ktorého cieľom je posilnenie spolupráce v oblasti odolnosti kritickej infraštruktúry Slovenskej republiky a zabezpečovania kontinuity poskytovania základných služieb.

Slovakia and India Strengthen Cooperation in the Protection of Critical Infrastructure: AKI SR and India’s C-DOT Discuss Joint Projects

18. júna 2026
At the international technology fair VivaTech 2026 in Paris, a working meeting was held today between representatives of the AKI SR and the Indian government technology organization Centre for Development of Telematics (C-DOT). The meeting followed ongoing discussions between the two partners and confirmed their shared interest in developing strategic cooperation in the areas of cybersecurity, critical infrastructure protection, and the development of technologies resilient to threats emerging in the quantum era.

Slovensko a India posilňujú spoluprácu v ochrane kritickej infraštruktúry: AKI SR a indický C-DOT rokovali o spoločných projektoch

18. júna 2026
Na pôde medzinárodného technologického veľtrhu VivaTech 2026 v Paríži sa dnes uskutočnilo pracovné stretnutie predstaviteľov Asociácie kritickej infraštruktúry Slovenskej republiky (AKI SR) a indickej vládnej technologickej organizácie Centre for Development of Telematics (C-DOT). Stretnutie nadviazalo na už prebiehajúce rokovania medzi oboma partnermi a potvrdilo spoločný záujem rozvíjať strategickú spoluprácu v oblastiach kybernetickej bezpečnosti, ochrany kritickej infraštruktúry a vývoja technológií odolných voči hrozbám nastupujúcej kvantovej éry.

Zero Trust in the Supply Chain of Critical Infrastructure: When Trust Must Be Verified

18. júna 2026
The weakest point of an organization has long ceased to be its own technology. Increasingly, it is becoming a supplier who has access to systems, data, or ensures the operation of critical services.

Zero Trust v dodávateľskom reťazci kritickej infraštruktúry: keď dôvera musí byť overená

18. júna 2026
Najslabším miestom organizácie už dávno nemusí byť jej vlastná technológia. Čoraz častejšie sa ním stáva dodávateľ, ktorý má prístup k systémom, údajom alebo zabezpečuje prevádzku kritických služieb.