New SnailLoad Attack Reveals Users’ Web Activities

A team of security researchers has unveiled a novel side-channel attack technique called SnailLoad, which can remotely deduce a user’s web activity.

“SnailLoad leverages a universal bottleneck in internet connections,” the researchers explained in their recent study.

This bottleneck affects network packet latency, allowing attackers to infer ongoing network activity on another person’s internet connection. Through this method, attackers can determine which websites a user visits or what videos they watch.

What sets this method apart is that it does not require an adversary-in-the-middle (AitM) attack or physical proximity to the Wi-Fi connection to intercept network traffic.

The process involves tricking the target into loading an innocuous asset (like a file, image, or ad) from a server controlled by the attacker. This asset exploits the victim’s network latency as a side channel to reveal their online activities.

To execute this fingerprinting attack, the attacker measures the victim’s network latency while the target is downloading content from the attacker’s server during their browsing or viewing session.

A subsequent post-processing phase uses a convolutional neural network (CNN) trained with data from a similar network setup, achieving up to 98% accuracy for videos and 63% for websites.

Essentially, the network bottleneck on the victim’s end allows the attacker to deduce the amount of data transmitted by measuring packet round trip time (RTT). The RTT patterns are distinct for each video and can be used to identify the video being watched.

The attack is named SnailLoad because the server sends the file very slowly to monitor the connection latency over a prolonged period.

“SnailLoad doesn’t require JavaScript, code execution on the victim’s system, or any user interaction. It only needs a steady exchange of network packets,” the researchers noted, adding that it “measures the latency to the victim system and deduces network activity from the latency variations.”

This discovery coincides with another revelation where academics identified a security flaw in router firmware handling Network Address Translation (NAT) mapping. This flaw can be exploited by an attacker on the same Wi-Fi network as the victim to bypass the randomization in Transmission Control Protocol (TCP).

“For performance reasons, most routers don’t rigorously check TCP packet sequence numbers,” the researchers stated. “This creates significant security vulnerabilities, allowing attackers to forge reset (RST) packets and maliciously clear NAT mappings in the router.”

This type of TCP hijacking attack enables the threat actor to infer source ports of other client connections and steal the sequence and acknowledgment numbers of the TCP connection between the victim client and server.

This manipulation can be used to poison the victim’s HTTP web page or launch denial-of-service (DoS) attacks. Patches for this vulnerability are being prepared by the OpenWrt community and router vendors, including 360, Huawei, Linksys, Mercury, TP-Link, Ubiquiti, and Xiaomi.

To prevent the SnailLoad attack, it’s crucial to maintain updated network infrastructure and employ robust network security measures. Implementing network segmentation can reduce the attack surface, and using encrypted connections (HTTPS) can mitigate the risk of data inference through packet latency.