When Calls and Messages Move to the Internet: What Breaks Along the Way

In modern cellular networks, communication with the operator (i.e., calls and messages) no longer depends exclusively on the radio interface. Increasingly, these services are carried over the Internet. At the same time, traditional SMS and voice are steadily losing ground to instant messengers such as WhatsApp and Signal, which have become the dominant channels for everyday communication.

On the surface, this transition looks like a clear win: it allows operators to offload traffic, users to place calls even in poor coverage areas, and platforms to provide richer features than the limited SMS standard ever could. But as my recent research has shown, the migration of core communication services onto Internet-based infrastructure also introduces new, Internet-scale risks. Over the past two years, I have explored these risks in three papers, focusing respectively on Voice-over-Wi-Fi (VoWiFi), silent metadata channels in messengers, and the cryptographic logistics of WhatsApp's end-to-end encryption. Together, these case studies illustrate how fragile the foundations of modern communication can be when legacy assumptions meet the Internet.

Study 1: Weak Keys in Voice-over-Wi-Fi [1]

Voice-over-Wi-Fi is marketed as a seamless extension of mobile voice calling. When cellular coverage is poor, your phone automatically sets up an IPsec tunnel over the Internet, carrying call traffic back into the operator's core network. From the user's perspective, it is the same phone call—just more reliable indoors. From a security perspective, however, the picture is very different.

In my first study, I examined how this tunnel is established in practice. What I discovered was troubling: thirteen operators across three continents had deployed the exact same private keys on their Internet-facing gateways. These keys, provisioned by a single vendor, were reused across networks serving around 140 million subscribers. In cryptographic terms, this is catastrophic. If one key leaks (or is deliberately reused by design) the confidentiality of calls across all those operators is at risk.

Compounding the problem, some devices were configured to fall back to weaker, undocumented IKE settings during key exchange. In other words, the protocol negotiation that should establish a secure channel could instead be coerced into a weaker mode. Taken together, these findings demonstrate that VoWiFi is only as strong as its weakest configuration—and that weak defaults and key reuse can quietly compromise millions of users.

Study 2: Silent Delivery Receipts in Messengers [2]

While operators are moving calls onto IP, messaging has already shifted almost entirely into the app ecosystem. WhatsApp, Signal, and other platforms have replaced SMS as the default medium for text-based communication. Their promise of end-to-end encryption has rightly raised the bar for privacy, but encryption only protects message contents. The surrounding metadata often leaks far more than expected.

In my second project, I investigated so-called silent delivery receipts (background signals messengers send to acknowledge the arrival of a message), even if the user never sees it. These receipts are invisible to the recipient: no notification, no chat bubble, no evidence at all. Yet they provide a rich signal to anyone able to exploit them.

By sending crafted messages that trigger silent receipts, an attacker who knows nothing more than a phone number can continuously "ping" a target. From the timing and behavior of the responses, it is possible to infer whether the user is online, how many devices are linked to their account, which operating systems they use, and even whether their screen is currently on or off. More aggressively, repeated probing can exhaust a device's battery or data plan without the victim ever noticing a thing.

This research highlights a core blind spot in the design of messaging systems: protecting message contents is not enough if metadata flows remain unrestricted. In fact, invisible background signaling can reveal some of the most sensitive behavioral patterns, undermining user trust in platforms that are otherwise marketed as secure by default.

Study 3: Prekey Depletion in WhatsApp [3]

My most recent paper returned to WhatsApp, this time focusing on its use of the Signal protocol's prekeys. Prekeys are disposable chunks of key material that allow secure sessions to be established even when the recipient is offline. They are the reason you can send a first encrypted message to someone who has never been online at the same time as you. Without prekeys, the convenience and scalability of end-to-end encryption at billions of users would be impossible.

Yet this convenience comes at a cost: prekeys are a limited resource. Each client device uploads a finite number of prekeys to WhatsApp's servers. When those are used up, the server must request more before secure sessions can continue. I showed that this mechanism can be abused in a targeted prekey depletion attack. By deliberately consuming a victim's prekeys, an attacker can force conditions where new sessions lack perfect forward secrecy, or where messages simply cannot be delivered at all.

Beyond the immediate confidentiality risk, the refill process itself leaks information that can be abused for targeted disruption or inference. What was intended as a clever workaround for offline messaging thus becomes a fragile choke point in the security of billions of users.

Common Themes and Broader Lessons

Although these three studies examine different systems (i.e., operator networks, instant messengers, and cryptographic protocols) the underlying theme is the same. When communication services move onto the Internet, they inherit the Internet's failure modes: key reuse across borders, metadata channels invisible to users, and brittle bootstrapping protocols that do not scale gracefully under adversarial conditions.

From an academic perspective, these results underscore the need for systematic auditing of real-world deployments, not just protocol specifications. On paper, VoWiFi, Signal, and WhatsApp's crypto are secure. In practice, deployment shortcuts, invisible design decisions, and assumptions about scale open cracks that adversaries can exploit.

From an industry perspective, the takeaways are clear. Operators must enforce unique credentials and eliminate weak fallback mechanisms. Messaging platforms must treat metadata with the same care as message contents, offering user control and robust abuse prevention. And cryptographic infrastructure must be provisioned with adversarial scaling in mind, not just functional convenience.

Looking Ahead

The transition of communication services to Internet-based infrastructure is irreversible. Wi-Fi calling and messenger apps are not going away; indeed, they are becoming the norm. But if these systems are to remain trustworthy, we need to treat them as critical infrastructure. That means holding vendors accountable for sane defaults, exposing hidden metadata flows to scrutiny, and investing in more resilient cryptographic primitives.

My work is only a small part of this larger effort, but it illustrates how easily today's conveniences can turn into tomorrow's liabilities. The future of communication is online, but it is up to all of us, as researchers, operators, and developers, to ensure that it is also secure.

References:

[1] Diffie-Hellman Picture Show: Key Exchange Stories from Commercial VoWiFi Deployments (Gegenhuber et al., USENIX Security 2024): https://arxiv.org/abs/2407.19556v2

[2] Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers (Gegenhuber et al., RAID 2025): https://arxiv.org/abs/2411.11194

[3] Prekey Pogo: Investigating Security and Privacy Issues in WhatsApp's Handshake Mechanism (Gegenhuber et al., USENIX WOOT 2025): https://arxiv.org/abs/2504.07323