A New Creeping Threat

There is a ceaseless digital cat-and-mouse game playing out on the internet today, with malicious hackers and security researchers constantly trying to get the upper hand on one another. As a result of these efforts, we are now all accustomed to regularly installing security updates to our operating system and other applications, running a firewall, and exercising caution when we click on any web links.

These measures go a long way towards keeping us safe online, but new fronts open up in this digital battle by the day. Side-channel attacks are one of the more concerning types of exploits as they do not necessarily rely on any bad behavior on the part of the user. These attacks may sniff out electromagnetic radiation emitted by a computer, or even watch LEDs on the front panel as they blink, to gain insights into what is happening inside the box.

But these types of attacks generally require some sort of instrumentation to be placed near the machine that is to be observed, so they can be defeated by simply protecting the physical space around it. A novel exploit called SnailLoad that was recently described by a team of security researchers at the Graz University of Technology has no such requirement, however. SnailLoad allows attackers to spy on your web traffic with no physical access to the machine, no instrumentation positioned near the compromised machine, and no bad behavior on the part of the user. Furthermore, it leaves behind no traces and cannot be detected by existing security software.

SnailLoad gets its name from the fact that the exploit begins by starting a very, very slow download. It can be anything that is downloaded, and the downloaded file does not need to contain anything malicious, so it can easily go undetected. The attacker can then monitor the speed with which the file is being downloaded to gain insights into latency in the victim's internet connection.

When the victim does anything else online while that file downloads, like visiting a website, sending an email, or watching a video, packets will be sent through their network interface. These packets all have a unique signature, and the latency that is introduced into the initial file download reveals those signatures to the attacker, even though they cannot directly see the traffic associated with those other activities.

These tiny latency blips in the download are not easy to interpret, so the team trained a convolutional neural network to analyze the signal and classify the activity that is occurring. To test the system, the model was trained on a set of YouTube videos, and it was demonstrated that the latency signal could be used to correctly determine which video was being watched in 98 percent of cases on average. It was noted that SnailLoad is more successful when a lot of data is being transferred, as is the case with videos. Website classification, on the other hand, was only successful in 63 percent of cases.

If you read many papers on security exploits, you know that the authors generally close by discussing a way to foil the attack. In this work, that was not the case since the attack is almost impossible to prevent. The best suggestion that the researchers had was for internet service providers to artificially slow connections in a random pattern to avoid latency detection. But of course this solution is undesirable and would lead to problems with real-time applications in particular, so it could never be implemented. To defeat SnailLoad, fresh thinking will be needed.