West Point Researchers Demonstrate Passive Netflix Traffic Analysis Attack

hypercard writes: Researchers from West Point recently presented research on a real-time passive analysis of Netflix traffic. The paper, entitled "Identifying HTTPS-Protected Netflix Videos in Real-Time" is based on research conducted by Andrew Reed, Michael Kranch and Benjamin Klimkowski. The team's technique demonstrates frighteningly accurate results based solely on information captured from TCP/IP headers. Even with the recent upgrade to HTTPS, their technique was effective at identifying the correct video with greater than 99.99 percent accuracy against their database of over 42,000 videos. "When tested against 200 random 20-minute video streams, our system identified 99.5 percent of the videos with the majority of the identifications occurring less than two and a half minutes into the video stream," the paper reads. However, there are important points to note. First, the attack described only applies to streams still using Silverlight. Additionally, an attacker would likely need significant resources and access to intercept, fingerprint and process the traffic in real time. Netflix has reacted positively to the team's research and acknowledged the issue as a known drawback to processing video streams with HTTPS.

So...

[TFlan91]

"only applies to streams still using Silverlight"

Stop using Silverlight, or better yet, stop using anything Microsoft releases to try and accomplish what ActiveX and Silverlight try to?

Re:So...

That's just what they used in their work. The technique seems to be applicable to any other kind of transports as well, they just didn't bother doing that.

Re:So...

[zifn4b]

"only applies to streams still using Silverlight"

Stop using Silverlight, or better yet, stop using anything Microsoft releases to try and accomplish what ActiveX and Silverlight try to?

At the moment, options are limited. Adobe Flash player with RTMP, HTML5 with RTP, or HLS? The problem is largely that web based video streaming doesn't have a whole lot of options unless you commit to writing your own cross-browser plugin. That is precisely what Flash Player did. We need better standards for video streaming. HTML5 (or perhaps browser adoption of it) didn't really step up to the plate very well.

It's funny to me that a lot of developers seem to think that because you're in the context of a web browser that one needs to use HTTP for everything. That's just simply not true.

Re:So...

[Gr8Apes]

HTML5 using RTP is absolutely satisfactory, as that covers the connection and protocol portions. The payload is a different thing, and that's purely based on implementation. It should be easy enough to add some random data bits on a secondary data pass within the encrypted stream to completely confound such analysis. The real issue here is a crappy implementation that leaks data rather than any issue with encryption.

Re: So...

Considering that Netflix's implementation of "standards-based" HTML5 video only works in a handful of specifically approved browsers, that isn't necessarily possible.

Re:So...

[DontBeAMoran]

HTML5 didn't step up to the plate because Google chose to push their own CODEC instead of simply using the industry standard H.264.

Re:So...

[rhazz]

Better yet, just sit back and don't worry about it. What exactly is the risk of someone finding out what you are watching on Netflix?

Re:So...

[trawg]

Fwiw I've been happily watching Netflix in the browser via their excellent HTML 5 player without flash or Silverlight for a long time now. Works flawlessly in Chrome and I think it's ok in Firefox. Requires the (built in) Widevine plugin for DRM.

Amazon Prime video works too. I uninstaller Flash 2 years ago and have never installed Silverlight.

Re:So...

[brunes69]

The problem is not the video streaming. It is the DRM.

The DRM that Google and the W3C want to standardize on, and that Netflix must use by law, yet FOSS peeps keep railing against. These FOSS peeps can't see the forest for the trees; they would rather be stuck using Silverlight.

Re:So...

[arglebargle_xiv]

Correct. There's been a lot of work done on this, you can identify encrypted video, voice, web browsing, you name it. They just happened to target Netflix this time. My only complaint with the work is that this stuff isn't exactly news, it's been known for years. The only novel aspect is that they get 99.99% accuracy while others have got lower accuracy scores... of course that's for blind ID, not using a fixed training data set.

I'm not watching TV at work! I'm doing research

Some academics are trying to rationalize their work-time bingewatching as "security research" ;)

Seriously, this is pretty interesting nevertheless. It shows how much information can be garnered from side channels. And to think we're leaking them all the time...

And this gem from the PDF paper:

Interestingly, 126 windows do not even return themselves. Upon further inspection, we found that these windows stem from two movies, 2001: A Space Odyssey and The Gospel Road: A Story of Jesus, both of which have lengthy periods where the screen is completely dark, thereby resulting in “flat” windows that consist of 30 identically-sized segments. Since Pearson’s r cannot be computed for a single point, these flat windows cannot be correlated.

Re:I'm not watching TV at work! I'm doing research

I wonder if adding a progress bar at the bottom of the movie, actually rendered into the video, would help fix the problem? You'd never have periods of the same frame being transmitted for x seconds as every frame is different.

You could hide the bottom y pixels of the movie in the player/front-end to remove the distraction.

Re:I'm not watching TV at work! I'm doing research

Some academics are trying to rationalize their work-time bingewatching as "security research" ;)

Seriously, this is pretty interesting nevertheless. It shows how much information can be garnered from side channels. And to think we're leaking them all the time...

It's West Point, not exactly the epitome of science and engineering. Do they graduate good military officers? Yes. Would they be my 'go-to' for an engineering school? No.

Sigh... Silverlight

If you are using Silverlight you have bigger problems than this to worry about.

So an attacker would know what you are watching...

The attacker would then send spoilers by mail or something, ruining the series for the victim. The horror!!

Oh, nevermind

[PopeRatzo]

First, the attack described only applies to streams still using Silverlight.

I've also heard that security researchers have found that they can predict where a letter is being sent based solely on the address written on the envelope.

Re:Oh, nevermind

You're analogy is quite flawed. This would be akin to security researchers divining the contents of the envelope based solely on the address written on the envelope. Epic fail for you.

Re:Oh, nevermind

[93+Escort+Wagon]

You're analogy is quite flawed.

As is your grammar.

Re:Oh, nevermind

[PopeRatzo]

This would be akin to security researchers divining the contents of the envelope based solely on the address written on the envelope.

It's Silverlight for chrissake. Is anybody surprised that the envelope is transparent and doesn't protect anonymity and content?

Re: Oh, nevermind

Presumably, Silverlight's TLS stack works properly, otherwise they would not be able to communicate with Netflix. So this isn't a problem with Silverlight, no matter how much you like bashing it.

Don't get me wrong, Silverlight was just MS's attempt to get into the Flash market while Flash was burning to the ground and it a total POS. But this hack ha as absolutely nothing to do with Silverlight.

Yep, let only Google, Apple, or the NSA have it

Do you really think Google isn't turning around and selling that data? As many times as it can?

Timing is everything

[Rhaize]

"Additionally, an attacker would likely need significant resources and access to intercept, fingerprint and process the traffic in real time." Hmm.. I don't quite recall but I seem to remember someone talking about ISP's being permitted to monetize collected data from customers..

Re:So an attacker would know what you are watching

Yeah, I don't get it either. Where is the 'attack' part of this? It's more like traffic analysis. Given the access to the traffic you need it might be easier to stand outside their front door and listen for a minute.

Automated image recognition is very complex

[CustomSolvers2]

This article talks about matching videos with known ones what, unlikely what some people seem to think, is pretty much all what automated image (or video) recognition is about. For example, recognising that a given picture contains a house is usually the result of having compared the given pixels against the ones in a training set of images with houses. Almost any variation with respect to the training image has a relevant impact on this process (e.g., different structure, colours, positions, distorted pixels, etc). Additionally, these analyses usually consume lots of hardware resources.

Even in case of getting a perfect copy of the original video, just automating the recognition of its contents would represent a further layer of complexity. Something like separating the videos about sports from the ones about movies would be very difficult; virtually impossible when dealing with random inputs and expecting a high enough accuracy.

Re: Automated image recognition is very complex

This story is about recognizing patterns in traffic, rather than in the video frames. Although you can say the video encoder does translate frames into traffic features, which is what they use.

Re:Automated image recognition is very complex

It is not about image recognition. It is about recognition of encrypted content.

They manage to guess which video is watched by analysing TCP connection parameters of an encrypted stream over HTTPS.

Re: Automated image recognition is very complex

[CustomSolvers2]

This story is about recognizing patterns in traffic

I got it. My comment was about the next logical step (= what do with that information?), which some people seem to think that is pretty trivial when it isn't.

Re:Automated image recognition is very complex

[CustomSolvers2]

It is not about image recognition. It is about recognition of encrypted content.

Yeah, I know. I was trying to give some insights into the apparently-not-evident-to-everyone difficulty of the most logical next step: maximising the information which they collected.

Re: Automated image recognition is very complex

The point is that the traffic is encrypted, so you can't just analyze its content.

It is significant in that it proves (once again) that encryption is not the answer to all privacy problems.

Re: Automated image recognition is very complex

[CustomSolvers2]

As said, I understood what this article was about. But this specific research, other than proving a generic lack (limitations in the HTTPS security), is focused on a specific issue: getting video-related information. I plainly took advantage from this fact to highlight a somehow related issue which I thought that some people might find interesting.

it proves (once again) that encryption is not the answer to all privacy problems

It only proves that a specific encryption should be further improved. Although no encryption will ever be the one and only solution for all the privacy concerns, as far as all of them are likely to be fallible (at least, at some point).

Re: Automated image recognition is very complex

You have demonstrated you have no clue what this is about. This is about video but not in the way you are talking. It matches known video to known video without ever caring what the video content is or ever being able to understand the video. No pixels need to be rendered, displayed, analyzed or considered. There is no analysis to do on the video. If no one was actually watching on the receiving end this process can take place with literally no one (computer or person) ever seeing a pixel of content. No intelligible bit of information is required. A title pops up "The Hangover" and bam... we have useful information without a single thing ever seeing a single image of anything.

There are a lot of uses of this but I don't see a single use that requires any analysis of video information other than for ancillary purposes on the back end. You certainly have not connected the dots on how video analysis might be related with this. If you had connected the dots to the ancillary purpose, then I would believe you have any clue what you are talking about.

Re: Automated image recognition is very complex

[CustomSolvers2]

You have demonstrated you have no clue what this is about.

It is curious, because you have demonstrated me your poor understanding capabilities via not being able to adequately understand my original intention and my additional explanations, not even the exact value of your opinion (as described below).

It matches known video to known video without ever caring what the video content is or ever being able to understand the video

I know. Again, I took the "video" (word if you wish) as an excuse to write a comment which some people might find interesting. This comment wasn't meant to be directly related to the original article, just to the eventuality of having to deal with video-related information.

No pixels need to be rendered, displayed, analyzed or considered

I will try it again. Let's imagine that your HTTPS-analysing tool can recognise 100 videos and you use this tool to know what 5000 users do. You reached this point by only knowing about HTTPS analysis and by assuming that video recognition is pretty simple (-> what seems a common misconception, the one which my original comment tried to address!!!). Now you want to see whether there are common patterns among these 5000 users (each of them using different videos among the 100 ones), at this point, the aforementioned NEXT LOGICAL STEP, you have to deal with these videos ( you initially store a minimal information about them in the database because you thought that video recognition was very easy), this is the point where my comment becomes relevant. If you want to deal with certain type of information (videos, in this case), it is quite likely that, at some point and for whatever reason, you will want to know all what you can about that type of information and the usual requirements of most of actions dealing with it. This was the whole point of my comment!! A somehow related, perhaps not even too relevant, reference! Nothing to do with understanding or not what the article was about! Nothing to do with the main intention of the article! Why do you want to see a hidden meaning in my words? Why do you want to see complexity and impossibility of understanding regarding something which is pretty simple (breaking encrypted information via recognising some parts by comparing them with previous samples! where is the difficulty to understand that?)?!

There are a lot of uses of this but I don't see a single use that requires any analysis of video information

You have an example in the paragraph above, but let me propose you a scenario. Imagine that you are working for Google (or for any other big company collecting tons of information about anything what their users do) and you are in charge of developing a tool to collect social security numbers. Wouldn't you find (even slightly) helpful any information about the way in which those numbers might be used to access certain service (or even simpler: about an algorithm confirming/dismissing their validity)? The current scope of your work has nothing to do with that (you have only to blindly collect numbers), but in your future activity (or the one of your company) that information is likely to become relevant. You might want to ignore it for the time being or not. But why do you keep saying me that I don't understand that your current work is just collecting information rather than analysing that information! I have understood you the first time you said it, but I am plainly saying something which is somehow related with what you are currently doing! You can ignore this information if you wish, but don't invent a nonexistent meaning or interpret what isn't there! Is seriously so difficult to understand?

You have demonstrated you have no clue what this is about.

then I would believe you have any clue what you are talking about

?! (start of sarcasm)OK, sorry boss for having failed you. Next time, I will try my level best to not let you down because, as you perfectly know, your opinion about what I know, do and expect is all what matters to me. (end of sarcasm).

Re:Automated image recognition is very complex

[bugs2squash]

Well, monetizing the information they collect. we see from your viewing habits you like "Thomas the tank engine" during the day and "Breaking Bad" after 10pm. Can we interest you in some schizophrenia medicine?

Re: Automated image recognition is very complex

Exactly as I thought. You are crazy person or a bot. You can't even form comprehensible sentences and this is confirmed by other people than me questioning your sanity.

Re: Automated image recognition is very complex

[CustomSolvers2]

Exactly as I thought. You are crazy person or a bot.

?! Seriously, can you read? And/or understand simple concepts? A bot? Do you know what a bot is? How could any bot have written what I did? Have I created the best-understanding bot ever and let it here talk with a random anonymous COWARD?!

Are you aware about the fact that you are posting anonymously, the one who started bothering me for no clear reason with an aggressive attitude (seriously expecting me to fix your clear understanding limitations, like being convinced that this is my obligation?!) and the one who doesn't seem to get almost anything right? Do you seriously think that this your place? Let me answer this one for you: it isn't. Your place is extremely far away from people like me and places where people like me go, like this site (sometimes, to make fun of people like you).

Re: Automated image recognition is very complex

This is some amazing troll or insanity. Either way, well done.

Re: Automated image recognition is very complex

[CustomSolvers2]

This is some amazing troll or insanity. Either way, well done.

I seriously recommend you to bring this conversation to a specialist such that you can get the most adequate help for you "condition". Here you have some hints:
- Don't you think that your actions should pursued some goal (beneficial, at least, to one other being) rather than repeating abstract ideas with no clear justification?
- Rather than feeling frustrated or angry with words/ideas different than yours, why don't you try to either understand them or to plainly ignore them (and live happy among "people" like you)?
- Why don't you try to use words which you fully understand and which are, at least, partially applicable to the specific situation (your previous reference to bot made the same sense than your current one to troll. Trolling what? Why? Being part of a conversation without agreeing with you is trolling? Don't you think that there has to be something wrong with a person coming to such ridiculous conclusion?)?
- In general, you should try to avoid situations causing you any kind of distress (apparently, open discussions and not extremely simple ideas do). Also it might be better for your evident lack of self-esteem to not arbitrarily attack people who might defend themselves (in a conversation, I guess that virtually anyone can easily beat your fanatic stupidity) and/or try to avoid being in intrinsically weaker positions (e.g., arbitrarily criticising someone not minding you at all or writing anonymously).

Thanks for the compliment although, in comparison with "people" like you, I certainly do everything well, even insulting. Please, feel free to ask me for help in case you find problems to understand any part of this comment (or your carer isn't around).

streams still using Silverlight?

[Gravis+Zero]

I thought Silverlight was supposed to be dead. Besides, if you are using Windows, your first concern obviously isn't privacy.

Re:streams still using Silverlight?

if you are using Windows, your first concern obviously isn't privacy.

I am still waiting for the kernel.org security breach report from 2011.

The truth is out there... now

[93+Escort+Wagon]

Average Slashdotters: I'm watching porn! Lots of porn!

Researchers: Actually, we've determined you're watching the Veggie Tales' "Barbara Manatee" song clip, over and over.

Re:The truth is out there... now

[cdrudge]

Or Rule 34, it's porn of Veggie Tales' Barbra Manatee.

Re:The truth is out there... now

Average Slashdotters: I'm watching porn! Lots of porn!

Researchers: Actually, we've determined you're watching the Veggie Tales' "Barbara Manatee" song clip, over and over.

Everything is porn to someone...

Re: So an attacker would know what you are watchin

Knowing your taste for entertainment makes social engineering a lot more viable.

so what

Why should I care? Netflix already knows what I watch and I have no doubt that they would sell that information.

Re:so what

I do doubt they would sell that information to, for example, Comcast.

Compression+HTTPS=Badness

[Traverman]

"Reed and Klimkowski show that this combination of DASH and VBR can produce sequences of video segment sizes (i.e. fingerprints) that are unique for each video." Do we really need yet another lesson to teach us that mixing variably (but deterministically) sized traffic segments with HTTPS is self-defeating? Netflix needs to confront the fact that if they value user privacy over performance, they need to roughly double their bandwidth by appending non-pseudo-random junk traffic to each segment, and enforcing a global minimum segment size. I would go so far as to say, furthermore, that they need to ensure that the latency between segment send times is also highly random (up to some acceptably small limit). Otherwise, at least within the first few hops from their server farm, it would be possible to deduce the video ID just from that stream of latencies, as it's probably being read from the same cache hierarchy using the same processors and busses with roughly consistent behavior. The real threat they've discovered has nothing to do with Silverlight. It regards the implications for doing the same on video sites generally, most notably YouTube, using only modestly more sophisticated techniques. Time to reinvent the DVD rental store...

Re:Compression+HTTPS=Badness

[AHuxley]

Think of a method that could be given any video and then track the https users. Encode a vast database of interesting video clips and watch for traces of that https globally.

Re:Compression+HTTPS=Badness

I think we should let the users decide if they value privacy over bandwidth. There are times when I care about my privacy, but mostly I care about bandwidth.

And if privacy is what really matters, I'd much prefer they simply switch to a constant bit rate encoding or variable-size buffering.

dom

Re:Compression+HTTPS=Badness

[sexconker]

I often have the subtitles on and I watch at 1.3x to 1.5x.
Plus Netflix sells all this data anyway. It's easier to just buy it from them to find out I watched Kubo and the Two Strings yesterday.

Netflix doesn't even have porn. If they like money, they should, though. Far more people would pay an extra $10 a month for Netflix + Porn over what they currently pay for Netflix. Not many people are willing to pay $10 a month standalone for porn. But as an add-on from a reputable company that won't infect your PC, have tons of ads, etc., it'll sell like hotcakes.

All they'd need to do would be to hide it well enough - put it at NetflixMidnight.com or something and get a proper profile system setup. Currently Netflix has profiles but only a single login, and that login can access all profiles. It's fucking stupid, but my gues is they have no intention of changing it as it would lead to more account sharing. Then they'd need to placate Apple, Google, MS, Sony, Nintendo, etc. by ensuring the official app never has access to the porn streams.

Re: Compression+HTTPS=Badness

VBR is too big a win. But Netflix content is buffered. There is no reason for physical segments to correspond to logical segments.

Re: Compression+HTTPS=Badness

So, lower MTU and force packets to get fragmented.

Performance hit, though.

Re: Compression+HTTPS=Badness

They probably thought of this, and realized they'd break the Internet until there were major infrastructure upgrades. Isn't Netflix already accounting for like 40-70% of US bandwidth?

Waste of time

[mdm-adph]

Rarely has so much research been done to reveal so little of any actual worth. This is West Point funded -- I assume the government is behind this somewhere? Don't.... don't they already have access to Netflix data on the backend?

Re: Waste of time

This is West Point funded -- I assume the government is behind this somewhere?

I would assume that Comcast is behind it.

Re: Waste of time

It doesn't say it was West Point funded, only that the researchers are at West Point. The research could have funded by the government, a non-profit or a corporation.

Re: So an attacker would know what you are watchin

[tepples]

Particular when the "security questions" used as a faux second factor for authentication on many services include "What is your favorite movie?", as I discovered yesterday when creating an account on a web-based income tax return preparation service.

Video Privacy Protection Act of 1988

[tepples]

The "attack" is described in the rationale for the Video Privacy Protection Act of 1988, which was a response to the release of D.C. Circuit Judge Robert Bork's video rental history and its publication in Washington City Paper before his unsuccessful nomination to the Supreme Court of the United States.

Re:Video Privacy Protection Act of 1988

The "attack" is described in the rationale for the Video Privacy Protection Act of 1988, which was a response to the release of D.C. Circuit Judge Robert Bork's video rental history and its publication in Washington City Paper before his unsuccessful nomination to the Supreme Court of the United States.

So the 'attack' is 'somone in the ruling class might get embarrassed'?

Not really seeing it.

Re: So an attacker would know what you are watchin

[avandesande]

I guess I am just going to have to stick with vigilante movies

Re: So an attacker would know what you are watchin

That is why you never answer those recovery questions honestly and never use the same answer for more than one site. Make up a fake answer (like "correct horse battery staple") and store it in a password vault.

Re: So an attacker would know what you are watchin

whoops, screwed up the link: "correct horse battery staple"

Re: I'm not watching TV at work! I'm doing researc

This was a demonstration of identifying the video only looking at the TCP headers. TLS should be mutating the video frames such that you can't tell all-black from anything else.

The root of the problem might be that compression algorithms are too successful, because when compressed then encrypted, it's easier to deduce what might be in the unencrypted payload.

Re: So an attacker would know what you are watchin

[desdinova+216]

that's all fine until you can't remember what you used.

Good example of Traffic Analysis

Military intelligence organizations has used Traffic Analysis for a century or more. Surely even before the dawn of the radio age.

To keep the enemy from reading your messages you encipher them. Those messages still need to be routed to their proper nets so the header information might be plain text. Even if routing information is encrypted Radio Direction Finding and/or measuring the traffic volume can still provide actionable intelligence. It is likely that a unit receiving the most messages is some sort of headquarters. Tapping a telegraph line was done during the American Civil War by both sides.

No surprise, then, that West Pointers are honing their skills an open information source. Practice does help.

Looking at header information can tell a lot about your internet usage too. One would have to be totally naive to believe various governmental agencies don't bother to look at, and analyze, that sort of meta-data.