Comment by onionisafruit
2 years ago
I should have been more specific. Although they could use IP geolocation, they can also get data from the cell carrier that delivered the notification to that IP address.
So a gov finds that IP address 7.8.9.0 received one of these notifications at 12:34. They then see that 7.8.9.0 is one of ATT’s addresses. They go to ATT and learn that address was used by their customer onionisafruit at 12:34 and the device was 5ms away from tower A.
That's hardly necessary. I think the attack goes like this:
You have captured the device of some group member, and you want to investigate his associates, but you don't know who they are. So you ask Google and Apple: Make a list of all of the devices that have received a push notification sent by <list of messaging apps> where those devices have received at least 200 notifications within 50ms of a notification received by this device. (You will have to make Google or Apple share the list with the target timings with the other)
That will give you a list of everyone who is in a group chat with your target, regardless of whether or not the messages were deleted or encrypted. Now you tell Apple/Google to give all the data on those accounts. You will probably find enough in their Gmail/location history/browsing history to identify nearly all associated people without ever bothering to look at IP addresses.
This also works if you get into a chat with your target. You send some messages and then have Google/Apple identify their device via timing, then identify all their associates.
Notifications aren't sent to IP addresses, so none of this matters.
Of course they are, how else would they be sent?