Network side channel often rely on privileged attacker positions, e.g., physical proximity, person-in-the-middle scenarios, or code on the victim machine. Recent fully remote attacks without a privileged position are either easily mitigated (e.g., ICMP pings) or require minimal user interaction (e.g., SnailLoad). In this paper, we reduce user interaction in fully remote network side-channel attacks in two directions: First, we analyze 21 communication tools that automatically establish connections without user interaction with external references. We identify privacy-concerning automated behavior for 4 out of 11 messengers and 6 out of 10 email clients, leaking victim IP addresses without user interaction, undermining end-to-end encryption, and even enabling remote SnailLoad attacks without user interaction. Second, we show that even without any specific client software, merely processing TCP packets can already enable zero-click attacks. We introduce a novel latency measurement method based on TCP SYN packets, exploiting that TCP SYN packets to a closed port either lead to a timeout or, in our experiments about once per second, an ICMP-based response. Timing these responses yields a coarse SnailLoad trace, sufficient to mount a video fingerprinting attack with an \(F_1\) score of \(56\%\) compared to \(89\%\) on a similar Internet connection and the same number of videos as prior work. Thus, our findings confirm in both directions that fully automated side-channel attacks without user interaction are feasible and posing a relevant privacy threat.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Zero-Click SnailLoad: From Minimal to No User Interaction

  • Stefan Gast,
  • Nora Puntigam,
  • Simone Franza,
  • Sudheendra Raghav Neela,
  • Daniel Gruss,
  • Johanna Ullrich

摘要

Network side channel often rely on privileged attacker positions, e.g., physical proximity, person-in-the-middle scenarios, or code on the victim machine. Recent fully remote attacks without a privileged position are either easily mitigated (e.g., ICMP pings) or require minimal user interaction (e.g., SnailLoad). In this paper, we reduce user interaction in fully remote network side-channel attacks in two directions: First, we analyze 21 communication tools that automatically establish connections without user interaction with external references. We identify privacy-concerning automated behavior for 4 out of 11 messengers and 6 out of 10 email clients, leaking victim IP addresses without user interaction, undermining end-to-end encryption, and even enabling remote SnailLoad attacks without user interaction. Second, we show that even without any specific client software, merely processing TCP packets can already enable zero-click attacks. We introduce a novel latency measurement method based on TCP SYN packets, exploiting that TCP SYN packets to a closed port either lead to a timeout or, in our experiments about once per second, an ICMP-based response. Timing these responses yields a coarse SnailLoad trace, sufficient to mount a video fingerprinting attack with an \(F_1\) score of \(56\%\) compared to \(89\%\) on a similar Internet connection and the same number of videos as prior work. Thus, our findings confirm in both directions that fully automated side-channel attacks without user interaction are feasible and posing a relevant privacy threat.