Security loophole lets hackers spy on people and affects every device and internet connection

 (The Independent)
(The Independent)

A new security loophole could let hackers spy on anyone – and every internet connection and device is vulnerable, according to the researchers who found it.

The hack is known as ‘SnailLoad’ and appears to bypass all security measures such as firewalls and VPN tools.

It works by monitoring changes in the speed of a user’s internet connection – not requiring any kind of code or access to a machine.

That is enough to allow hackers to track users’ online activity in detail, the researchers behind it say.

To be hit by the ‘SnailLoad’ attack, users need only to download a seemingly harmless and small file from the hacker’s server. That might be hidden inside a malicious website, for instance.

That file does not in itself contain malicious code, meaning that it will not be spotted by security software. But the transfer of the file is extremely slow – which means that attackers can monitor how fast the user’s internet connection is.

That is enough for hackers to gain detailed access. It allows attackers to spot the “fingerprint” of a connection: to transfer a file, it is broken up into a number of small pieces, but that leaves behind a unique code that can then be spotted later.

“When the victim accesses a website, watches an online video or speaks to someone via video, the latency of the internet connection fluctuates in a specific pattern that depends on the particular content being used,” said Stefan Gast, from Graz University of Technology, where the team who found the vulnerability are based.

The researchers behind the attack said they were able to spy on test users watching videos with a 98 per cent success rate. That was more successful if their internet connections were slow and the videos were large, they said.

As such, that means that browsing using less data is also less accurate – researchers could only spy on users looking at basic websites with a 63 per cent success rate. But attackers would be able to improve their models with more data, making them even better at spying on even more difficult browsing.

There is no easy way to fix the security issue, researchers said.

“The only option would be for providers to artificially slow down their customers’ internet connections in a randomised pattern,” said Daniel Gruss, also from Graz University of Technology’s Institute of Applied Information Processing and Communication Technology. But slowing down those connections would also mean that there would be delays in live streams or online gaming.

The team are to publish a paper describing their findings at a devoted website.