Blog Detail

Researchers at Graz University of Technology discovered that they could spy on users’ online activities by monitoring fluctuations in the speed of their Internet connection. This security hole, called SnailLoad, does not require malicious code or intercepting data traffic. SnailLoad is a significant security hole that affects all types of devices and Internet connections.

SnailLoad attack setup

• The victim communicates with a server.
• The server has a fast Internet connection, the victim’s last mile connection is comparatively slow.
• Packets from the attacker to the victim are delayed if the last mile is busy.
• In a side channel attack, the attacker infers which website or video the user is viewing.

The unsuspecting victim only needs to have a single direct contact with the attacker, for example, when visiting a website or watching a promotional video. During this interaction, the victim unknowingly downloads an essentially harmless file. This file, devoid of any malicious code, evades detection by security software. The transfer of this file is extremely slow and provides the attacker with continuous information about the variation in latency of the victim’s Internet connection. This stealthy approach allows the attacker to reconstruct the victim’s online activity, posing a threat to the victim’s privacy.

 

SnailLoad combines latency data with online content fingerprinting.

“When the victim accesses a website, watches an online video or talks to someone via video, the latency of the Internet connection fluctuates according to a specific pattern that depends on the particular content being used,” says Stefan Gast of IAIK.

This is because all online content has a unique “fingerprint”. For efficient transmission, online content is divided into small data packets that are sent one after the other from the host server to the user. The pattern of number and size of these data packets is unique for each online content, like a human fingerprint.

The researchers collected fingerprints from a limited number of YouTube videos and popular websites beforehand for testing purposes. When the test subjects used these videos and websites, the researchers were able to recognize it through corresponding latency fluctuations. “However, the attack would also work the other way around,” says IAIK’s Daniel Gruss: ”Attackers first measure the pattern of latency fluctuations when a victim is online and then search for online content with the corresponding fingerprint.”

 

Slow Internet connections make things easier for attackers

By spying on test subjects watching videos, the researchers achieved a success rate of up to 98 percent.

“The higher the data volume of the videos and the slower the Internet connection of the victims, the higher the success rate,” explains Gruss. As a result, the success rate of basic website spying dropped to around 63 percent. “However, if attackers feed their machine learning models with more data than we did in our test, these values will certainly increase,” added Gruss.

 

Practically impossible loophole to close

“Closing this security gap is difficult. The only option would be for providers to artificially slow down their customers’ Internet connections following a random pattern,” Gruss said. However, this would cause noticeable delays in time-critical applications such as video conferencing, live streaming or online computer games.