June 28, 2024 at 06:45AM
Security researchers from Graz University of Technology have revealed a new side-channel attack, SnailLoad, capable of remotely inferring a user’s web activity. By exploiting network latency, the attack allows attackers to deduce websites visited or videos watched without needing to be in physical proximity to the victim’s Wi-Fi connection. Additionally, academics uncovered a security flaw in router firmware regarding NAT mapping, enabling attackers to bypass TCP randomization and manipulate connections for potential hijacking attacks.
Here are the main takeaways from the meeting notes:
– Security researchers from Graz University of Technology have discovered a new side-channel attack called SnailLoad that can be used to remotely infer a user’s web activity by exploiting network latency.
– The attack allows an attacker to monitor a victim’s network activity without the need for a man-in-the-middle attack or physical proximity to the victim’s Wi-Fi connection.
– SnailLoad involves tricking a target into loading a harmless asset from a threat actor-controlled server, exploiting the victim’s network latency to determine online activities.
– The attack involves using latency measurements and a convolutional neural network to infer the content being browsed or viewed on the victim’s system with high accuracy.
– The attack exploits a network bottleneck on the victim’s side, inferring transmitted data by measuring packet round trip time.
– The researchers also disclosed a security flaw in router firmware that handles Network Address Translation (NAT) mapping, which could be exploited to bypass built-in randomization in the Transmission Control Protocol (TCP).
– The flaw enables attackers to manipulate TCP connections, with potential implications for HTTP web pages and to stage denial-of-service attacks.
– Patches for the vulnerability are in development by the OpenWrt community and router vendors like 360, Huawei, Linksys, Mercury, TP-Link, Ubiquiti, and Xiaomi.
For more exclusive content, follow the company on Twitter and LinkedIn.