Researchers from Austria’s Graz University of Technology have uncovered a novel side-channel attack called SnailLoad that exploits network latency to infer user activity. SnailLoad is a non-invasive attack technique that could allow attackers to gather information about websites visited or videos watched by victims without needing direct access to their network traffic.
How The SnailLoad Exploit Works
SnailLoad takes advantage of the bandwidth bottleneck present in most internet connections. When a user’s device communicates with a server, the last mile of the connection is typically slower than the server’s connection. An attacker can measure delays in their own packets sent to the victim to deduce when the victim’s connection is busy.
The attack masquerades as a download of a file or any website component (like a style sheet, a font, an image or an advertisement). The attacking server sends out the file at a snail’s pace, to monitor the connection latency over an extended period of time. The researchers decided to name the technique ‘SnailLoad’ as “apart from being slow, SnailLoad, just like a snail, leaves traces and is a little bit creepy.”
The attack requires no JavaScript or code execution on the victim’s system. It simply involves the victim loading content from an attacker-controlled server that sends data at an extremely slow rate. By monitoring latency over time, the attacker can correlate patterns with specific online activities.
The researchers have shared the conditions required to recreate the SnailLoad attack:
- Victim communicates with the attack server.
- Communicated server has a faster Internet connection than the victim’s last mile connection.
- Attacker’s packets sent to victim are delayed if the last mile is busy.
- Attacker infers website visited or video watched by victim through side-channel attack.
In the related user study detailed in the SnailLoad research paper, the researchers approached local undergraduate and graduate students who volunteered to run a measurement script that employs the SnailLoad attack technique. The researchers took steps to ensure that no personal information had been exposed to information leakage at any point.
Furthermore, the researchers had planned to destroy collected traces after the paper had been published and offer students the option to directly request the deletion of traces or exclusion of their traces in the paper’s results at any point.
The researchers reported the attack technique to Google on March 9 under the responsible disclosure section of their paper, with Google acknowledging the severity of the issue. The tech giant also stated that it was investigating possible server-side mitigations for YouTube. The researchers shared working proof of concept on GitHub along with instructions and an online demo.
SnailLoad Implications and Mitigation
In testing, SnailLoad was able to achieve up to 98% accuracy in identifying YouTube videos watched by victims. It also showed 62.8% accuracy in fingerprinting websites from the top 100 most visited list.
While not currently observed in the wild, SnailLoad could potentially affect most internet connections. Mitigation is challenging, as the root cause stems from fundamental bandwidth differences in network infrastructure. The researchers stated that while adding random noise to the network can reduce the accuracy of the attack, it could impact performance and cause inconvenience to users.
As online privacy concerns grow, SnailLoad highlights how even encrypted traffic could potentially be exploited to leak information through subtle timing differences. Further research could be required to develop effective countermeasures against this new class of remote side-channel attacks.
