Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?



New SnailLoad Attack Relies on Network Latency Variations to Infer User Activity

New attack named SnailLoad allows a remote attacker to infer websites and videos viewed by a user without direct access to network traffic.

SnailLoad attack

A team of researchers from the Graz University of Technology in Austria has disclosed the details of a new attack method that allows a remote attacker to infer websites and other content viewed by a user without needing direct access to their network traffic.

Other researchers previously showed that websites accessed by users and even the actions they perform within applications can be inferred by an attacker, but this often requires a person-in-the-middle (PitM) attack or hacking the target’s Wi-Fi connection from physical proximity. 

The new side-channel attack method discovered by the TU Graz researchers, named SnailLoad, is more efficient as it does not require a PitM position, JavaScript, or any other code execution on the victim’s system. 

The researchers demonstrated the attack by showing that they could deduce the YouTube videos and websites accessed by a user. 

In order to launch a SnailLoad attack, the attacker conducts a series of latency measurements for various YouTube videos and websites that the victim may be viewing. This data provides a latency trace that includes specific variations over time for each targeted video or website, basically creating a fingerprint for each of them.

The attacker then needs to get the targeted user to load data from a malicious server. The attacker can convince the victim to download a file, but the attack also works with any other type of non-malicious content delivered by the attacker’s server, including style sheets, fonts, images or ads.

“The main threat here is that any TCP server can stealthily obtain latency traces from any clients connecting to it,” Stefan Gast, one of the researchers involved in this project, told SecurityWeek.

An important aspect is that the malicious server needs to load the content at a slow pace — this is where the SnailLoad name comes from — for the attacker to be able to monitor the connection latency over an extended period of time. 

The attack leverages the fact that servers typically have a fast internet connection, in contrast with the speed when the traffic reaches the ISP’s systems or the victim’s gateway, where packets are delayed. These bandwidth bottlenecks can be leveraged by the attacker for latency measurements.

Advertisement. Scroll to continue reading.

The data obtained by the attacker while content is being fetched by the victim’s system from the malicious server is compared to the previously created fingerprint, enabling the attacker to figure out which of the videos or websites in their list is viewed by the victim in a different window while the SnailLoad attack is being carried out. 

The researchers noted that an attacker can leverage a convolutional neural network (CNN) to learn the latency trace for each targeted asset and also to later infer the site or video. 

The attack is not easy to mitigate because it leverages the way the internet works. However, the researchers believe it’s unlikely that SnailLoad has been exploited in the wild. 

In addition, in its current form, the impact of the SnalLoad attack is limited due to the fact that the attacker needs to compile a list of websites that the victim could visit, and the accuracy of the attack is impacted if the victim is performing other operations besides viewing the targeted video or site. 

In the tests conducted by the TU Graz researchers, which covered 10 YouTube videos and 100 popular websites, they achieved an accuracy ranging between 37% and 98%, depending on the type of targeted resource and the type of internet connection.

Gast will present the findings at the Black Hat USA 2024 cybersecurity conference this summer with Daniel Gruss, an information security professor at the Graz University of Technology who was also involved in this project. Gruss is known for the notorious Meltdown and Spectre attacks, as well as several other side-channel attacks discovered over the past years.

The researchers have published a paper describing SnailLoad and they have set up a dedicated website that provides a high-level description of the attack. The SnailLoad site also hosts a demo of the attack. 

Related: New Attack Shows Risks of Browsers Giving Websites Access to GPU 

Related: Protected Virtual Machines Exposed to New ‘CacheWarp’ AMD CPU Attack

Related: Nearly All Modern CPUs Leak Data to New Collide+Power Side-Channel Attack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights