Blog

Internet users leave many traces on websites and online services. Measures such as firewalls, VPN connections and browser privacy modes are in place to ensure a certain level of data protection. However, a newly discovered security loophole allows bypassing all of these security measures.

Computer scientists at the Institute for Applied Information Processing and Communication Technologies (IAIK) at the Technical University of Graz (TU Graz) were able to track users’ online activities in detail by simply observing fluctuations in their Internet connection speed. No malicious code is needed to exploit this vulnerability, known as “SnailLoad,” and no data traffic needs to be intercepted. All types of end devices and internet connections are affected.

The researchers published their work in a paper titled “SnailLoad: Using Remote Network Latency Measurements Without JavaScript.”

Attackers track fluctuations in Internet connection latency by transferring files

Attackers only need to have had direct contact with the victim once before. In this case, the victim downloads an essentially harmless small file from the attacker’s server without realizing it – for example, while visiting a website or watching an advertising video.

Since this file does not contain malicious code, it cannot be detected by security software. The transfer of this file is extremely slow, providing the attacker with constant information about the variation of the latency of the victim’s Internet connection. In subsequent steps, this information is used to reconstruct the victim’s online activity.

“SnailLoad” combines latency data with online content fingerprinting

“When the victim enters a website, watches an online video or talks to someone via video, the latency of the internet connection varies in a specific pattern that depends on the specific content being used,” says IAIK’s Stephan Gast. This is because all online content has a unique fingerprint: For efficient transmission, online content is split into small data packets that are sent one after the other from the host server to the user. The pattern of the number and size of these data packets is unique to each piece of online content – like a human fingerprint.

The researchers collected fingerprints from a limited number of YouTube videos and popular websites in advance for testing purposes. When test subjects used these videos and websites, the researchers were able to tell by the corresponding fluctuations in latency.

“However, the attack will also work the other way around,” says Daniel Gruss of IAIK. “Attackers first measure the pattern of latency fluctuations when the victim is online and then search for online content with the matching fingerprint.”

Slow internet connections make it easier for attackers

When spying on test subjects watching videos, researchers achieved a success rate of up to 98%.

“The higher the data volume in the videos and the slower the victims’ Internet connection, the greater the success,” says Gruss. Therefore, the success rate for spying on major websites dropped to around 63%.

“However, if attackers feed their machine learning models with more data than we did in our test, these values ​​will certainly increase,” says Gruss.

A hatch that is practically impossible to close

“Closing this security gap is difficult. The only option would be for ISPs to artificially slow down their customers’ Internet connections in a random pattern,” Gruss says. However, this would result in noticeable delays for time-critical applications such as video conferencing, live streaming or online PC gaming.

The team led by Gast and Gruss created a website describing SnailLoad in detail. They will present the scientific paper on the loophole at the Black Hat US 2024 and USENIX Security Symposium conferences.