A group of security researchers from the Graz University of Technology have shown a new side-channel attack called SnailLoad that can remotely reveal a user’s web activity.
“SnailLoad exploits a bottleneck found on all Internet connections,” the researchers stated in a report released this week.
“This bottleneck impacts the latency of network packets, allowing an attacker to deduce the current network activity on someone else’s Internet connection. An attacker can use this information to infer websites a user visits or videos a user watches.”
What sets this approach apart is that it eliminates the need for carrying out an adversary-in-the-middle (AitM) attack or being physically close to the Wi-Fi connection to intercept network traffic.
Essentially, it involves tricking a target into loading a harmless asset (like a file, an image, or an ad) from a server controlled by the attacker, which then uses the victim’s network latency as a side channel to determine online activities on the victim’s system.
To execute such a fingerprinting attack and uncover what video or website a user might be accessing, the attacker measures the latency of the victim’s network connection as the content is being downloaded while they are browsing or viewing.
This is followed by a post-processing phase that uses a convolutional neural network (CNN) trained with traces from an identical network setup to accurately infer up to 98% for videos and 63% for websites.
In simple terms, due to the network bottleneck on the victim’s end, the attacker can calculate the amount of data transmitted by measuring the packet round trip time (RTT). The RTT traces are unique per video and can be used to identify the video watched by the victim.
The attack is named SnailLoad because the attacking server sends the file slowly in order to monitor the connection latency over an extended period of time.
“SnailLoad does not require JavaScript, any form of code execution on the victim system, or user interaction, but only a continuous exchange of network packets,” the researchers explained, adding that it “measures the latency to the victim system and predicts the network activity on the victim system from the latency variations.”
“The root cause of the side-channel is buffering in a transport path node, typically the last node before the user’s modem or router, related to a quality-of-service issue called bufferbloat.”
This revelation comes as researchers have uncovered a security flaw in how router firmware manages Network Address Translation (NAT) mapping, which could be exploited by an attacker on the same Wi-Fi network as the victim to bypass built-in randomization in the Transmission Control Protocol (TCP).
“Most routers, for performance reasons, do not thoroughly inspect the sequence numbers of TCP packets,” the researchers explained. “As a result, this introduces significant security vulnerabilities that attackers can abuse by crafting forged reset (RST) packets to maliciously clear NAT mappings in the router.”
This attack essentially allows the attacker to determine the source ports of other client connections, steal the sequence number and acknowledgment number of the normal TCP connection between the client and the server, and manipulate TCP connections.
These hijacking attacks against TCP could then be used to tamper with a victim’s HTTP web page or carry out denial-of-service (DoS) attacks, according to the researchers, who mentioned that patches for the vulnerability are being prepared by the OpenWrt community and router vendors like 360, Huawei, Linksys, Mercury, TP-Link, Ubiquiti, and Xiaomi.
