New SnailLoad attack uses network latency to spy on users’ web activity

June 28, 2024Press releaseNetwork security / data protection

A group of security researchers from Graz University of Technology have demonstrated a new side-channel attack called SnailLoad that can be used to remotely infer a user’s web activity.

“SnailLoad exploits a bottleneck that exists in all Internet connections,” the researchers said in a study published this week.

“This bottleneck affects the latency of network packets and allows an attacker to infer the current network activity of another person’s Internet connection. An attacker can use this information to infer websites a user visits or videos a user watches.”

A key feature of this approach is that it does not require an Adversary-in-the-Middle (AitM) attack or physical proximity to the Wi-Fi connection to eavesdrop on network traffic.

Specifically, it involves tricking a victim into downloading harmless content (e.g., a file, image, or ad) from a server controlled by the threat actor. The attacker then uses the victim’s network latency as a side channel to detect online activity on the victim’s system.

To perform such a fingerprinting attack and find out which video or website a user might be watching or visiting, the attacker performs a series of latency measurements of the victim’s network connection while the content is being downloaded from the server while browsing or viewing.

This is followed by a post-processing phase in which a convolutional neural network (CNN) trained with tracks from an identical network setup is used to make the inference with an accuracy of up to 98% for videos and 63% for websites.

In other words, due to the network bottleneck on the victim’s side, the attacker can deduce the amount of data transmitted by measuring the round-trip time (RTT). The RTT traces are unique for each video and can be used to classify the video watched by the victim.

The attack gets its name because the attacking server transfers the file at a snail’s pace in order to monitor connection latency over a longer period of time.

“SnailLoad requires no JavaScript, no code execution on the victim system, and no user interaction, just a constant exchange of network packets,” the researchers explained, adding that it “measures the latency to the victim system and uses the latency fluctuations to infer network activity on the victim system.”

“The main cause of the side channel is buffering at a transport path node, usually the last node before the user’s modem or router, which is related to a quality of service problem called bufferbloat.”

The disclosure comes after researchers discovered a vulnerability in the way router firmware handles Network Address Translation (NAT) mapping, which could be exploited by an attacker connected to the same Wi-Fi network as the victim to bypass the built-in randomization in the Transmission Control Protocol (TCP).

“For performance reasons, most routers do not accurately check the sequence numbers of TCP packets,” the researchers said. “This creates serious security vulnerabilities that attackers can exploit by creating fake reset packets (RST) to maliciously delete NAT mappings in the router.”

The attack essentially allows the threat actor to infer the source ports of other client connections, as well as steal the sequence number and acknowledgement number of the normal TCP connection between the victim client and the server in order to spoof the TCP connection.

The TCP-targeted hijacking attacks could then be weaponized to poison a victim’s HTTP web page or perform denial-of-service (DoS) attacks, the researchers said. The OpenWrt community as well as router vendors such as 360, Huawei, Linksys, Mercury, TP-Link, Ubiquiti and Xiaomi are preparing patches for the vulnerability.