A group of security researchers from the Graz University of Technology has demonstrated a new side-channel attack known as SnailLoad that can be used to remotely infer a user’s web activity.
“SnailLoad exploits a bottleneck present in all Internet connections,” researchers note said in a study published this week.
“This bottleneck affects the latency of network packets, allowing an attacker to infer the current network activity of someone else’s Internet connection. An attacker can use this information to infer the websites the user visits or the videos the user watches.”
A distinctive feature of this approach is that it eliminates the need to conduct an attack-in-the-middle (AitM) attack or to be in physical proximity to a Wi-Fi connection to eavesdrop on network traffic.
Specifically, it involves tricking the target into downloading an innocuous asset (such as a file, image, or advertisement) from a server controlled by the threat actor, who then uses the victim’s network latency as a side channel to detect Internet activity on the system. victims
To perform such a fingerprinting attack and learn what video or website a user may be viewing or visiting, the attacker takes a series of latency measurements of the victim’s network connection as content is downloaded from the server while viewing or browsing.
It then includes a post-processing step that uses a convolutional neural network (CNN) trained with traces from an identical network setup to infer with an accuracy of up to 98% for videos and 63% for websites.
In other words, due to the network bottleneck on the victim’s side, the adversary can deduce the amount of data transmitted by measuring the packet transfer time (RTT). RTT traces are unique to each video and can be used to classify the video the victim watched.
The attack is so named because the attacking server transmits the file at a snail’s pace in order to monitor the connection latency over a long period of time.
“SnailLoad requires no JavaScript, no form of code execution on the victim system, and no user interaction, just the constant exchange of network packets,” the researchers explained, adding that it “measures latency on the victim system and infers network activity on system sacrifice from delay variations.
“The primary cause of side channel is buffering at the transport path node, typically the last node before the user modem or router, due to the question of quality of service is called buffer bloat.”
The announcement comes after researchers discovered a security flaw in the way router firmware handles Network Address Translation (NAT) mapping that could be used by an attacker connected to the same Wi-Fi network as the victim to bypass built-in randomization in Transmission. Control Protocol (TCP).
“Most routers do not strictly check TCP packet sequence numbers for performance reasons,” the researchers note. said. “Therefore, this introduces serious security vulnerabilities that attackers can exploit by creating forged reset (RST) packets to maliciously clear router NAT mappings.”
The attack essentially allows a threat actor to infer the source ports of other client connections and steal the sequence number and acknowledgment number of a normal TCP connection between the victim client and the server in order to manipulate the TCP connection.
Hijacking attacks targeting TCP can be used as a weapon to poison a victim’s HTTP web page or mount denial-of-service (DoS) attacks, according to the researchers, who said patches for the vulnerability are being prepared by the OpenWrt community as well as router vendors. like 360, Huawei, Linksys, Mercury, TP-Link, Ubiquiti and Xiaomi.
