Recent SnailLoad Assault Exploits Latency in Network to Monitor Users’ Online Activities
A team of cybersecurity experts from Graz University of Technology has unveiled a novel side-channel assault named SnailLoad, which has the potential to clandestinely monitor a user’s internet activities.
The researchers revealed in a report published this week that, “SnailLoad leverages a bottleneck found in all internet connections.”
“This bottleneck affects the latency of network packets, enabling an adversary to deduce the current online activity on another user’s internet connection. This information can be used to infer the websites a user visits or the videos they watch.”
One unique aspect of this method is its ability to avoid the necessity of executing an adversary-in-the-middle (AitM) attack or being physically near the Wi-Fi connection to intercept network traffic.
Essentially, it involves enticing a target to load a harmless element (like a file, an image, or an advertisement) from a server controlled by a malicious actor. Subsequently, the attacker exploits the victim’s network latency as a covert channel to decipher online activities on the victim’s system.
To execute this fingerprinting attack and discern the video or website a user may be browsing or viewing, the attacker measures the latency of the victim’s network connection while the content is downloaded from the server during their browsing activities.
The process then includes a post-processing step that utilizes a convolutional neural network (CNN) trained with data from an identical network structure to make accurate inferences, achieving up to 98% precision for videos and 63% for websites.
Put simply, due to the network bottleneck on the victim’s end, the attacker can estimate the data transmission quantity by monitoring the packet round trip time (RTT). The RTT patterns are unique for each video and can be leveraged to identify the video watched by the victim.
The assault is named “SnailLoad” because the attacking server transmits the file at a leisurely pace to monitor the latency of the connection over an extended duration.
“SnailLoad does not rely on JavaScript, any form of code execution on the victim’s system, or user input, but merely ongoing exchange of network packets,” explained the researchers, noting that it “assesses the latency to the victim’s system and deduces the network activities on the victim’s system from the latency fluctuations.”
“The underlying cause of this side-channel is buffering in a transport node path, typically the last node before the user’s modem or router, linked to a quality-of-service issue known as bufferbloat,” they added.
The revelation coincides with reports from researchers about a security glitch in how router firmware manages Network Address Translation (NAT) mapping, which could be exploited by an attacker connected to the same Wi-Fi network as the victim to circumvent the built-in randomness in the Transmission Control Protocol (TCP).
“Most routers, for performance reasons, do not thoroughly examine the sequence numbers of TCP packets,” mentioned the researchers. “This, in turn, opens up significant security vulnerabilities that attackers can leverage by crafting fabricated reset (RST) packets to maliciously clear NAT mappings in the router.”
The essence of this attack allows the threat actor to unveil the source ports of other client connections, as well as hijack the sequence number and acknowledgment number of the usual TCP connection between the victim client and the server for TCP connection manipulation.
These TCP hijacking assaults can then be exploited to contaminate a victim’s HTTP web page or initiate denial-of-service (DoS) attacks, as outlined by the researchers who mentioned that fixes for this vulnerability are being developed by the OpenWrt community and router vendors such as 360, Huawei, Linksys, Mercury, TP-Link, Ubiquiti, and Xiaomi.
About Author
