A group of security researchers from Graz University of Technology demonstrated a new side-channel attack called SnailLoad, which can be used to remotely infer a user’s web activities.

“SnailLoad exploits a bottleneck present on all Internet connections,” the researchers wrote in a study published this week.

“This bottleneck affects network packet latency, allowing an attacker to determine current network activities on another person’s Internet connection. An attacker can utilize this information to figure out which websites a person visits or which videos they watch.”

One distinguishing feature of this strategy is that it eliminates the necessity for an adversary-in-the-middle (AitM) attack or physical proximity to the Wi-Fi connection to sniff network traffic.

You might be interested in: Intel CPUs Affected by New UEFI Vulnerability

It involves deceiving a target into loading an innocent asset (e.g., a file, an image, or an ad) from a threat actor-controlled server. The attacker then uses the victim’s network latency as a side channel to detect online actions on the victim’s system.

To carry out a fingerprinting attack and determine what video or website a user is watching or visiting, the attacker takes a series of latency measurements of the victim’s network connection while the content is downloaded from the server as they browse or view content.

It then proceeds to a post-processing step where a convolutional neural network (CNN) trained using traces from an identical network setup makes the inference with up to 98% accuracy for videos and 63% for websites.

In other words, due to the victim’s network bottleneck, the attacker can calculate the quantity of data delivered by measuring the packet round trip time (RTT). The RTT traces are unique to each video and can be used to identify the video watched by the victim.

The attack gets its name from the fact that the attacking server sends the file slowly to monitor the connection latency over time.

“SnailLoad requires no JavaScript, no form of code execution on the victim system, and no user interaction but only a constant exchange of network packets,” the investigators stated. They added that it “measures the latency to the victim system and infers the network activity on the victim system from the latency variations.”

“The root cause of the side-channel is buffering in a transport path node, typically the last node before the user’s modem or router, related to a quality-of-service issue called bufferbloat.”

The disclosure comes after academics discovered a security flaw in the way router firmware handles Network Address Translation (NAT) mapping, which could be exploited by an attacker connected to the same Wi-Fi network as the victim to bypass built-in randomization in the Transmission Control Protocol.

“Most routers, for performance reasons, do not rigorously inspect the sequence numbers of TCP packets,” according to the study authors. “Consequently, this introduces serious security vulnerabilities that attackers can exploit by crafting forged reset (RST) packets to maliciously clear NAT mappings in the router.”

The attack enables the threat actor to infer the source ports of additional client connections, as well as steal the sequence number and acknowledgment number of the normal TCP connection between the victim client and the server, allowing them to manipulate TCP connections.

According to the researchers, hijacking attacks targeting TCP could be weaponized to poison a victim’s HTTP web page or stage denial-of-service (DoS) attacks. Patches for the vulnerability are being prepared by the OpenWrt community as well as router vendors such as 360, Huawei, Linksys, Mercury, TP-Link, Ubiquiti, and Xiaomi.