Researchers propose SnailLoad, a novel side-channel attack that leverages network latency variations to infer user activities on the victim’s system. Unlike traditional methods that require observing encrypted network traffic, SnailLoad works by having the victim download a file from a malicious server.
The attacker monitors the download latency fluctuations, which act as a fingerprint and can be used to infer the victim’s activity, such as specific videos being watched.
Evaluation results show high accuracy (up to 98% F1 score) in video fingerprinting, demonstrating the effectiveness of SnailLoad in a non-PITM scenario, which opens up possibilities for adapting existing traffic-observation based attacks into remote attacks without requiring physical proximity or man-in-the-middle setups.
The attacker can masquerade SnailLoad latency measurements as a slow HTTP transfer to evade detection, which enables remote attackers to perform network side-channel attacks without requiring a person-in-the-middle scenario.
Fiber optics offers the highest bandwidth and lowest latency, but its performance depends on the last mile setup (FTTH vs. FTTC/FTTB), while mobile internet connections are inherently shared, and 5G offers better bandwidth and lower latency compared to 4G due to the use of higher frequency bands.
TCP/IP networking, DASH video streaming, video fingerprinting attacks, and remote timing side channels, where TCP/IP ensures reliable data transmission with error checking and congestion control.
DASH allows video streaming to adapt to network conditions by delivering videos in chunks of varying quality. Attackers can fingerprint videos by analyzing the sizes and timings of the chunks in network traffic, and remote timing side channels exploit implementation-specific variations in network traffic to infer user activity.
SnailLoad is a video-fingerprinting attack that exploits network latency variations to infer the video a user is watching and achieves this by measuring round trip times (RTTs) using TCP acknowledgement packets instead of ping, which can be blocked.
The attacker records the network latency trace of the victim watching the video and infers the video using a convolutional neural network, which is effective because a single, low-traffic TCP connection is sufficient and ICMP echo message blocking does not prevent the attack.
It is a web server that leaks privacy-relevant information about what video a victim is playing by measuring network latency traces and works by sending a single byte to the client every 50 milliseconds and measuring the round trip time.
The client watches a video at the same time, and the server can then identify the video by the way the network latency traces change over time. The authors tested SnailLoad on 10 different home internet connections and found that it could identify the video with up to 98% accuracy.
SnailLoad, a website fingerprinting attack that leverages background transfers to identify visited websites, can achieve this by collecting TCP packet timings during the transfer, and training a CNN classifier to recognize website patterns.
In an open-world evaluation of the Alexa top 100 websites and 750 random samples, SnailLoad achieves a macro-averaged F1 score of 62.8%, while the attack also generalizes to some extent across different network connections.