SnailLoad - New Side-Channel Network Latency Attack
Researchers at Graz University of Technology have unveiled a novel side-channel attack technique named "SnailLoad."
This innovative approach exploits remote network latency measurements to infer user activities on a computer, posing significant implications for online privacy and security.
SnailLoad represents a significant leap in the domain of side-channel attacks. Unlike previous methodologies that required direct observation of network traffic or the execution of malicious code on the victim's system, SnailLoad can operate entirely passively. It measures the latency of the victim's system and uses these measurements to infer user activities, such as watching videos or browsing websites.
The researchers demonstrated SnailLoad in a video-fingerprinting attack, achieving an impressive classification F1 score of up to 98% for identifying YouTube videos watched by the victim. They also conducted an open-world website fingerprinting attack, which resulted in an F1 score of 62.8%.
These results suggest that prior network traffic observation techniques, typically reliant on person-in-the-middle (PITM) scenarios, could potentially be adapted for remote attacks.
How SnailLoad Works
SnailLoad exploits subtle variations in round-trip times (RTTs) of network packets. These variations are influenced by the victim's network activities, allowing an attacker to deduce what the user is doing online.
The technique does not require JavaScript or any form of code execution on the victim's system, nor does it need user interaction. Instead, it relies on a constant exchange of network packets, such as a background network connection.
A key aspect of SnailLoad is its ability to function without being detected by common security measures.
For example, the attack can be disguised as a slow HTTP transfer from an attacker-controlled server. This could be a background connection used by a messenger app or a slow-loading image on a website, making it difficult for firewalls and other security tools to identify and block the attack.
The researchers conducted extensive evaluations of SnailLoad using various internet connection technologies, including ADSL, FTTH, FTTB, LTE, and cable. They achieved F1 scores ranging from 37% to 98%, depending on the type of connection and the specific circumstances of the attack. For instance, the highest accuracy was observed on FTTH connections, which are not shared among multiple users.
One of the critical findings of the study is the root cause of the side channel exploited by SnailLoad: buffering in a transport path node, usually the last node before the user’s modem or router.
This phenomenon, known as bufferbloat, has traditionally been seen as a quality-of-service issue. However, SnailLoad demonstrates that the timing differences caused by bufferbloat can be exploited by attackers.
Implications for Security and Privacy
The implications of SnailLoad are profound. By showing that network activity can be inferred remotely without the need for PITM scenarios or code execution on the victim's system, SnailLoad challenges existing assumptions about network security.
This technique could potentially be used to spy on users, steal sensitive information, or even manipulate online experiences.
For instance, an attacker could use SnailLoad to determine what videos a user is watching on platforms like YouTube.
This information could be used for targeted advertising, blackmail, or other malicious purposes. Similarly, the ability to infer website visits could be exploited to track user behaviour, bypassing the protections offered by encrypted connections and privacy-focused tools like VPNs and Tor.
The discovery of SnailLoad highlights the need for improved security measures to protect against remote side-channel attacks. Network administrators and security professionals must be aware of this new threat and consider implementing additional safeguards, such as more sophisticated traffic analysis tools and stronger encryption methods.