A team of security researchers from Graz University of Technology has unveiled a novel side-channel attack named SnailLoad, which can remotely deduce a user’s online activities.
“SnailLoad exploits a universal bottleneck in internet connections,” the researchers stated in a study published this week.
“This bottleneck affects network packet latency, enabling an attacker to infer ongoing network activity on another user’s internet connection. With this information, an attacker can deduce which websites a user visits or which videos they watch.”
A notable feature of SnailLoad is that it eliminates the need for an adversary-in-the-middle (AitM) attack or physical proximity to the target’s Wi-Fi connection to capture network traffic.
The attack works by deceiving a target into loading a benign asset (such as a file, image, or advertisement) from a server controlled by the attacker. The attacker then uses the victim’s network latency as a side channel to infer the victim’s online activities.
To execute this fingerprinting attack, the attacker performs a series of latency measurements on the victim’s network connection as content is downloaded from the attacker’s server during browsing or video streaming.
Subsequently, a post-processing phase employs a convolutional neural network (CNN) trained with traces from a similar network setup to achieve inference accuracy of up to 98% for videos and 63% for websites.
In essence, due to the network bottleneck on the victim’s side, the attacker can deduce the amount of transmitted data by measuring the packet round-trip time (RTT). These RTT traces are unique to each video and can be used to classify the video viewed by the victim.
The attack is named “SnailLoad” because the server transmits the file at an extremely slow pace to monitor connection latency over a prolonged period.
“SnailLoad does not require JavaScript, any form of code execution on the victim system, or user interaction—only a continuous exchange of network packets,” the researchers explained. It “measures latency to the victim system and infers network activity based on variations in latency.”
“The underlying cause of the side-channel is buffering in a transport path node, typically the last node before the user’s modem or router, linked to a quality-of-service issue known as bufferbloat.”
This revelation follows the disclosure of a security vulnerability in router firmware’s handling of Network Address Translation (NAT) mapping, which could be exploited by an attacker on the same Wi-Fi network as the victim to bypass Transmission Control Protocol (TCP) randomization.
“For performance reasons, most routers do not thoroughly inspect the sequence numbers of TCP packets,” the researchers noted. “This results in significant security vulnerabilities, allowing attackers to craft forged reset (RST) packets to maliciously clear NAT mappings in the router.”
Such an attack enables the adversary to determine the source ports of other client connections and steal the sequence number and acknowledgment number of the normal TCP connection between the victim and the server, facilitating TCP connection manipulation.
These TCP hijacking attacks can be weaponized to corrupt a victim’s HTTP web page or launch denial-of-service (DoS) attacks. The researchers mentioned that patches for this vulnerability are being prepared by the OpenWrt community and router vendors including 360, Huawei, Linksys, Mercury, TP-Link, Ubiquiti, and Xiaomi.
