"SnailLoad"

Security gap allows spying without malicious code

How to close the security gap has not yet been solved.(Bild: snailload.com)

IT experts at Graz University of Technology have succeeded in tracking the online activities of internet users via so-called latency fluctuations. The "SnailLoad" vulnerability makes this possible in relation to videos and websites on all types of end devices and internet connections.

Whether watching a video or accessing a homepage - according to Stefan Gast from the Graz Institute for Applied Information Processing and Communication Technology (IAIK), all online content leaves a specific "fingerprint": it is split into small data packets for efficient transmission, which are sent one after the other from the host's server to the user.

This leads to fluctuations in the speed of the internet connection. Experts refer to this as latency. This pattern of the number and size of these data packets is unique for every piece of online content - just like a human fingerprint, as Gast explained.

Attackers can exploit this as soon as they are able to establish contact with their victim's end device. A "basically harmless small file" can be downloaded from the attacker's server.

The tricky thing is that the file does not contain any malicious code and is therefore not recognized by the security software. As a result, it constantly reloads the victim's system and provides the attackers with continuous information on the latency times of the Internet connection and therefore the victim's online activities.

98 percent hit rate
In order to track internet activity via latency fluctuations, the researchers first analyzed the "fingerprints" of a limited number of YouTube videos and popular websites for their tests. When these were used by the test subjects, they could be recognized by the corresponding latency fluctuations.

When spying on the test subjects watching videos, the team ultimately achieved a hit rate of up to 98 percent. "The higher the data volume of the videos and the slower the victims' internet connection, the better the success rate," emphasized Daniel Gruss. Accordingly, the success rate for spying on visits to simple websites fell to just over 60 percent.

Attack in both directions
"If attackers feed their machine learning models with more data than we did in our test, these values will certainly increase," Daniel Gruss is convinced. For him, it is also clear that the attack can also work the other way round: If the victim is active on the internet, an attacker could first measure the latency fluctuations and then search for online content with the matching "fingerprint".

No solution yet 
How to close the security gap has not yet been solved. "The only option would be for providers to artificially slow down their customers' internet connection according to a random pattern," says Daniel Gruss. However, for time-critical applications such as video conferences, live streams or online computer games, this would lead to noticeable delays, as Gruss explained.

The team led by Stefan Gast and Daniel Gruss has set up a website on "SnailLoad". They will be presenting their paper on the security vulnerability at the Black Hat USA 2024 and USENIX Security Symposium conferences.