A group of security researchers from the Graz University of Technology have demonstrated a new side-channel attack known as SnailLoad that could be used to remotely infer a user’s web activity.
“SnailLoad exploits a bottleneck present on all Internet connections,” the researchers said in a study released this week.
“This bottleneck influences the latency of network packets, allowing an attacker to infer the current network activity on someone else’s Internet connection. An attacker can use this information to infer websites a user visits or videos a user watches.”
A defining characteristic of the approach is that it obviates the need for carrying out an adversary-in-the-middle (AitM) attack or being in physical proximity to the Wi-Fi connection to sniff network traffic.
Specifically, it entails tricking a target into loading a harmless asset (e.g., a file, an image, or an ad) from a threat actor-controlled server, which then exploits the victim’s network latency as a side channel to determine online activities on the victim system.
To perform such a fingerprinting attack and glean what video or a website a user might be watching or visiting, the attacker conducts a series of latency measurements of the victim’s network connection as the content is being downloaded from the server while they are browsing or viewing.
It then involves a post-processing phase that employs a convolutional neural network (CNN) trained with traces from an identical network setup to make the inference with an accuracy of up to 98% for videos and 63% for websites.
In other words, due to the network bottleneck on the victim’s side, the adversary can deduce the transmitted amount of data by measuring the packet round trip time (RTT). The RTT traces are unique per video and can be used to classify the video watched by the victim.
The attack is so named because the attacking server transmits the file at a snail’s pace in order to monitor the connection latency over an extended period of time.
“SnailLoad requires no JavaScript, no form of code execution on the victim system, and no user interaction but only a constant exchange of network packets,” the researchers explained, adding it “measures the latency to the victim system and infers the network activity on the victim system from the latency variations.”
“The root cause of the side-channel is buffering in a transport path node, typically the last node before the user’s modem or router, related to a quality-of-service issue called bufferbloat.”
The disclosure comes as academics have disclosed a security flaw in the manner router firmware handles Network Address Translation (NAT) mapping that could be exploited by an attacker connected to the same Wi-Fi network as the victim to bypass built-in randomization in the Transmission Control Protocol (TCP).
“Most routers, for performance reasons, do not rigorously inspect the sequence numbers of TCP packets,” the researchers said. “Consequently, this introduces serious security vulnerabilities that attackers can exploit by crafting forged reset (RST) packets to maliciously clear NAT mappings in the router.”
The attack essentially allows the threat actor to infer the source ports of other client connections as well as steal the sequence number and acknowledgment number of the normal TCP connection between the victim client and the server in order to perform TCP connection manipulation.
The hijacking attacks targeting TCP could then be weaponized to poison a victim’s HTTP web page or stage denial-of-service (DoS) attacks, per the researchers, who said patches for the vulnerability are being readied by the OpenWrt community as well as router vendors like 360, Huawei, Linksys, Mercury, TP-Link, Ubiquiti, and Xiaomi.
