Zero-Click SnailLoad: From Minimal to No User Interaction
摘要
Network side channel often rely on privileged attacker positions, e.g., physical proximity, person-in-the-middle scenarios, or code on the victim machine. Recent fully remote attacks without a privileged position are either easily mitigated (e.g., ICMP pings) or require minimal user interaction (e.g., SnailLoad). In this paper, we reduce user interaction in fully remote network side-channel attacks in two directions: First, we analyze 21 communication tools that automatically establish connections without user interaction with external references. We identify privacy-concerning automated behavior for 4 out of 11 messengers and 6 out of 10 email clients, leaking victim IP addresses without user interaction, undermining end-to-end encryption, and even enabling remote SnailLoad attacks without user interaction. Second, we show that even without any specific client software, merely processing TCP packets can already enable zero-click attacks. We introduce a novel latency measurement method based on TCP SYN packets, exploiting that TCP SYN packets to a closed port either lead to a timeout or, in our experiments about once per second, an ICMP-based response. Timing these responses yields a coarse SnailLoad trace, sufficient to mount a video fingerprinting attack with an \(F_1\) score of \(56\%\) compared to \(89\%\) on a similar Internet connection and the same number of videos as prior work. Thus, our findings confirm in both directions that fully automated side-channel attacks without user interaction are feasible and posing a relevant privacy threat.