ABSTRACT
The iCloud Private Relay (PR) is a new feature introduced by Apple in June 2021 that aims to enhance online privacy by protecting a subset of web traffic from both local eavesdroppers and websites that use IP-based tracking. The service is integrated into Apple’s latest operating systems and uses a two-hop architecture where a user’s web traffic is relayed through two proxies run by disjoint entities.
PR’s multi-hop architecture resembles traditional anonymity systems such as Tor and mix networks. Such systems, however, are known to be susceptible to a vulnerability known as traffic analysis: an intercepting adversary (e.g., a malicious router) can attempt to compromise the privacy promises of such systems by analyzing characteristics (e.g., packet timings and sizes) of their network traffic. In particular, previous works have widely studied the susceptibility of Tor to website fingerprinting and flow correlation, two major forms of traffic analysis.
In this work, we are the first to investigate the threat of traffic analysis against the recently introduced PR. First, we explore PR’s current architecture to establish a comprehensive threat model of traffic analysis attacks against PR. Second, we quantify the potential likelihood of these attacks against PR by evaluating the risks imposed by real-world AS-level adversaries through empirical measurement of Internet routes. Our evaluations show that some autonomous systems are in a particularly strong position to perform traffic analysis on a large fraction of PR traffic. Finally, having demonstrated the potential for these attacks to occur, we evaluate the performance of several flow correlation and website fingerprinting attacks over PR traffic. Our evaluations show that PR is highly vulnerable to state-of-the-art website fingerprinting and flow correlation attacks, with both attacks achieving high success rates. We hope that our study will shed light on the significance of traffic analysis to the current PR deployment, convincing Apple to perform design adjustments to alleviate the risks.
- 2022. About iCloud Private Relay. https://support.apple.com/en-us/HT212614Google Scholar
- 2022. Extra Security With Double VPN | NordVPN. https://nordvpn.com/features/double-vpn/. (Accessed on 04/19/2023).Google Scholar
- 2022. Immue discovers new exploitation of Apple’s private relay | VentureBeat. https://venturebeat.com/security/immue-discovers-new-vulnerability-in-apples-private-relay/. (Accessed on 08/30/2022).Google Scholar
- 2022. List of Private Relay Egress IPs. https://mask-api.icloud.com/egress-ip-ranges.csvGoogle Scholar
- 2022. Prepare Your Network or Web Server for iCloud Private Relay - Support - Apple Developer. https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay/. (Accessed on 08/25/2022).Google Scholar
- 2023. Alexa Top Sites. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.Google Scholar
- 2023. Multihop with WireGuard - Guides | Mullvad VPN. https://mullvad.net/en/help/multihop-wireguard/. (Accessed on 04/19/2023).Google Scholar
- Apple. 2021. iCloud Private Relay Overview. https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDFGoogle Scholar
- Apple. 2021. WWDC 2021 - Video. (2021). https://developer.apple.com/videos/play/wwdc2021/10085/Google Scholar
- Sanjit Bhat, David Lu, Albert Hyukjae Kwon, and Srinivas Devadas. 2019. Var-CNN: A Data-Efficient Website Fingerprinting Attack Based on Deep Learning. PETS 2019 (2019).Google Scholar
- Avrim Blum, Dawn Song, and Shobha Venkataraman. 2004. Detection of interactive stepping stones: Algorithms and confidence bounds. In International Workshop on Recent Advances in Intrusion Detection. Springer.Google ScholarCross Ref
- Nikita Borisov, George Danezis, Prateek Mittal, and Parisa Tabriz. 2007. Denial of service or denial of security?. In ACM CCS 2007.Google ScholarDigital Library
- Xiang Cai, Rishab Nithyanand, and Rob Johnson. 2014. CS-BuFLO: A Congestion Sensitive Website Fingerprinting Defense. In WPES 2014.Google ScholarDigital Library
- Xiang Cai, Rishab Nithyanand, Tao Wang, Rob Johnson, and Ian Goldberg. 2014. A Systematic Approach to Developing and Evaluating Website Fingerprinting Defenses. In ACM CCS 2014.Google ScholarDigital Library
- CAIDA. 2016. Anonymized Internet Traces 2016. https://catalog.caida.org/dataset/passive_2016_pcap. (Accessed on 08/29/2022).Google Scholar
- David L Chaum. 1981. Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM (1981).Google Scholar
- Giovanni Cherubin, Rob Jansen, and Carmela Troncoso. 2022. Online Website Fingerprinting: Evaluating Website Fingerprinting Attacks on Tor in the Real World. In USENIX Security 2022.Google Scholar
- Ian Clarke, Oskar Sandberg, Brandon Wiley, and Theodore W Hong. 2001. Freenet: A distributed anonymous information storage and retrieval system. In Designing privacy enhancing technologies. Springer.Google ScholarDigital Library
- George Danezis. 2004. The traffic analysis of continuous-time mixes. In International Workshop on Privacy Enhancing Technologies. Springer.Google Scholar
- Wladimir De la Cadena, Daniel Kaiser, Andriy Panchenko, and Thomas Engel. 2020. Out-of-the-box Multipath TCP as a Tor Transport Protocol: Performance and Privacy Implications. In IEEE NCA 2020.Google Scholar
- Wladimir De la Cadena, Asya Mitseva, Jens Hiller, Jan Pennekamp, Sebastian Reuter, Julian Filter, Thomas Engel, Klaus Wehrle, and Andriy Panchenko. 2020. TrafficSliver: Fighting Website Fingerprinting Attacks with Traffic Splitting. In ACM CCS 2020.Google Scholar
- Roger Dingledine, Nick Mathewson, and Paul Syverson. 2004. Tor: The Second-Generation Onion Router. In USENIX Security 2004.Google ScholarCross Ref
- Kevin P Dyer, Scott E Coull, Thomas Ristenpart, and Thomas Shrimpton. 2012. Peek-a-boo, I still see you: Why efficient traffic analysis countermeasures fail. In IEEE S&P 2012.Google Scholar
- Lixin Gao. 2001. On inferring autonomous system relationships in the Internet. IEEE/ACM Transactions on Networking (2001).Google Scholar
- Lixin Gao and Jennifer Rexford. 2001. Stable Internet routing without global coordination. IEEE/ACM Transactions on networking (2001).Google Scholar
- Phillipa Gill, Michael Schapira, and Sharon Goldberg. 2012. Modeling on quicksand: dealing with the scarcity of ground truth in interdomain routing data. ACM SIGCOMM CCR (2012).Google ScholarDigital Library
- Vasileios Giotsas, Matthew Luckie, Bradley Huffaker, and KC Claffy. 2014. Inferring complex AS relationships. In IMC 2014.Google Scholar
- Jiajun Gong and Tao Wang. 2020. Zero-delay lightweight defenses against website fingerprinting. In USENIX Security 2020.Google Scholar
- Hans Hanley, Yixin Sun, Sameer Wagh, and Prateek Mittal. 2019. DPSelect: a differential privacy based guard relay selection algorithm for Tor. PETS 2019 (2019).Google ScholarCross Ref
- Jamie Hayes and George Danezis. 2016. k-fingerprinting: A Robust Scalable Website Fingerprinting Technique. In USENIX Security 2016.Google Scholar
- Ting He and Lang Tong. 2007. Detecting encrypted stepping-stone connections. IEEE Transactions on Signal Processing (2007).Google ScholarDigital Library
- Sébastien Henri, Gines Garcia-Aviles, Pablo Serrano, Albert Banchs, and Patrick Thiran. 2020. Protecting against Website Fingerprinting with Multihoming. PETS 2020 (2020).Google ScholarCross Ref
- Dominik Herrmann, Rolf Wendolsky, and Hannes Federrath. 2009. Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier. In CCSW 2009.Google ScholarDigital Library
- Paul E. Hoffman and Patrick McManus. 2018. DNS Queries over HTTPS (DoH). RFC 8484. https://doi.org/10.17487/RFC8484Google ScholarDigital Library
- Amir Houmansadr and Nikita Borisov. 2011. SWIRL: A Scalable Watermark to Detect Correlated Network Flows. In NDSS 2011.Google Scholar
- Amir Houmansadr and Nikita Borisov. 2011. Towards improving network flow watermarks using the repeat-accumulate codes. In IEEE ICASSP 2011.Google ScholarCross Ref
- Rob Jansen, Marc Juárez, Rafa Galvez, Tariq Elahi, and Claudia Diaz. 2018. Inside Job: Applying Traffic Analysis to Measure Tor from Within. In NDSS 2018.Google ScholarCross Ref
- Aaron Johnson, Chris Wacek, Rob Jansen, Micah Sherr, and Paul Syverson. 2013. Users get routed: Traffic correlation on Tor by realistic adversaries. In ACM CCS 2013.Google ScholarDigital Library
- Marc Juarez, Mohsen Imani, Mike Perry, Claudia Diaz, and Matthew Wright. 2016. Toward an Efficient Website Fingerprinting Defense. In ESORICS 2016.Google ScholarCross Ref
- Eric Kinnear, Patrick McManus, Tommy Pauly, Tanya Verma, and Christopher A. Wood. 2022. Oblivious DNS over HTTPS. RFC 9230. https://doi.org/10.17487/RFC9230Google ScholarDigital Library
- Kirtus G Leyba, Benjamin Edwards, Cynthia Freeman, Jedidiah R Crandall, and Stephanie Forrest. 2019. Borders and Gateways: Measuring and Analyzing National as Chokepoints. In ACM COMPASS 2019.Google ScholarDigital Library
- Shuai Li, Huajun Guo, and Nicholas Hopper. 2018. Measuring information leakage in website fingerprinting attacks and defenses. In ACM CCS 2018.Google ScholarDigital Library
- Zhen Ling, Junzhou Luo, Wei Yu, Xinwen Fu, Dong Xuan, and Weijia Jia. 2009. A new cell counter based attack against tor. In ACM CCS 2009.Google ScholarDigital Library
- Ben Lovejoy. 2022. iPhone US market share hits all-time high, overtaking Android. https://9to5mac.com/2022/09/02/iphone-us-market-share/. (Accessed on 12/15/2022).Google Scholar
- Sergey Mostsevenko. 2021. iCloud Private Relay Vulnerability Identified. https://fingerprintjs.com/blog/ios15-icloud-private-relay-vulnerability/Google Scholar
- S.J. Murdoch and G. Danezis. 2005. Low-cost traffic analysis of Tor. In IEEE S&P 2005.Google Scholar
- Milad Nasr, Alireza Bahramali, and Amir Houmansadr. 2018. DeepCorr: Strong Flow Correlation Attacks on Tor Using Deep Learning. In ACM CCS 2018.Google ScholarDigital Library
- Rishab Nithyanand, Oleksii Starov, Adva Zair, Phillipa Gill, and Michael Schapira. 2016. Measuring and Mitigating AS-level Adversaries Against Tor. In NDSS 2016.Google Scholar
- Se Oh, Saikrishna Sunkam, and Nicholas Hopper. 2019. p1-FP: Extraction, Classification, and Prediction of Website Fingerprints with Deep Learning. PETS 2019 2019 (2019).Google Scholar
- Se Eun Oh, Taiji Yang, Nate Mathews, James K Holland, Mohammad Saidur Rahman, Nicholas Hopper, and Matthew Wright. 2022. DeepCoFFEA: Improved Flow Correlation Attacks on Tor via Metric Learning and Amplification. In IEEE S&P 2022.Google Scholar
- Andriy Panchenko, Fabian Lanze, Jan Pennekamp, Thomas Engel, Andreas Zinnen, Martin Henze, and Klaus Wehrle. 2016. Website Fingerprinting at Internet Scale. In NDSS 2016.Google ScholarCross Ref
- Tommy Pauly, Eric Rosenberg, and David Schinazi. 2023. QUIC-Aware Proxying Using HTTP. Internet-Draft draft-pauly-masque-quic-proxy-06. IETF. https://datatracker.ietf.org/doc/draft-pauly-masque-quic-proxy/06/ Work in Progress.Google Scholar
- Ania M Piotrowska, Jamie Hayes, Tariq Elahi, Sebastian Meiser, and George Danezis. 2017. The loopix anonymity system. In USENIX Security 2017.Google Scholar
- Mohammad Saidur Rahman, Payap Sirinam, Nate Mathews, Kantha Girish Gangadhara, and Matthew Wright. 2020. Tik-Tok: The Utility of Packet Timing in Website Fingerprinting Attacks. PETS 2020 (2020).Google Scholar
- Michael K Reiter and Aviel D Rubin. 1998. Crowds: Anonymity for web transactions. ACM TISSEC (1998).Google Scholar
- Vera Rimmer, Davy Preuveneers, Marc Juarez, Tom Van Goethem, and Wouter Joosen. 2018. Automated Website Fingerprinting through Deep Learning. In NDSS.Google Scholar
- Patrick Sattler, Juliane Aulbach, Johannes Zirngibl, and Georg Carle. 2022. Towards a tectonic traffic shift?. In ACM IMC 2022.Google ScholarDigital Library
- David Schinazi. 2022. Proxying UDP in HTTP. RFC 9298. https://doi.org/10.17487/RFC9298Google ScholarDigital Library
- Payap Sirinam, Mohsen Imani, Marc Juarez, and Matthew Wright. 2018. Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning. In ACM CCS 2018.Google ScholarDigital Library
- Payap Sirinam, Nate Mathews, Mohammad Saidur Rahman, and Matthew Wright. 2019. Triplet fingerprinting: More practical and portable website fingerprinting with n-shot learning. In ACM CCS 2019.Google ScholarDigital Library
- Jean-Pierre Smith, Prateek Mittal, and Adrian Perrig. 2021. Website Fingerprinting in the Age of QUIC. In PETS 2021.Google Scholar
- Yixin Sun, Anne Edmundson, Nick Feamster, Mung Chiang, and Prateek Mittal. 2017. Counter-RAPTOR: Safeguarding Tor against active routing attacks. In IEEE S&P 2017.Google Scholar
- Yixin Sun, Anne Edmundson, Laurent Vanbever, Oscar Li, Jennifer Rexford, Mung Chiang, and Prateek Mittal. 2015. RAPTOR: Routing attacks on privacy in Tor. In USENIX Security 2015.Google Scholar
- TunnelBear. 2021. TunnelBear implements OpenVPN3 with Pluggable Transports. https://www.tunnelbear.com/blog/tunnelbear-implements-pluggable-transports-with-openvpn3/. (Accessed on 04/19/2023).Google Scholar
- Tao Wang. 2020. High Precision Open-World Website Fingerprinting. In IEEE S&P 2020.Google ScholarCross Ref
- Tao Wang, Xiang Cai, Rishab Nithyanand, Rob Johnson, and Ian Goldberg. 2014. Effective attacks and provable defenses for website fingerprinting. In USENIX Security 2014.Google ScholarDigital Library
- Tao Wang and Ian Goldberg. 2017. Walkie-Talkie: An Efficient Defense Against Passive Website Fingerprinting Attacks. In USENIX Security 2017.Google Scholar
- Xinyuan Wang and Douglas S Reeves. 2003. Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays. In ACM CCS 2023.Google ScholarDigital Library
- Zack Whittaker. 2022. Apple says Lockdown Mode in iOS 16 will help block government spyware attacks | TechCrunch. https://techcrunch.com/2022/07/06/apple-lockdown-mode/. (Accessed on 04/20/2023).Google Scholar
- Paul Wouters, Hannes Tschofenig, John IETF Gilmore, Samuel Weiler, and Tero Kivinen. 2014. Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). RFC 7250. https://doi.org/10.17487/RFC7250Google ScholarDigital Library
- Junhua Yan and Jasleen Kaur. 2018. Feature Selection for Website Fingerprinting. In PETS 2018.Google Scholar
- Wei Yu, Xinwen Fu, Steve Graham, Dong Xuan, and Wei Zhao. 2007. DSSS-based flow marking technique for invisible traceback. In IEEE S&P 2007.Google ScholarDigital Library
- Bassam Zantout, Ramzi Haraty, 2011. I2P data communication system. In ICN 2011.Google Scholar
Index Terms
- Investigating Traffic Analysis Attacks on Apple iCloud Private Relay
Recommendations
Traffic Analysis Attacks in Anonymity Networks
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityWith more than 1.7 million daily users, Tor is a large-scale anonymity network that helps people to protect their identities in the Internet. Tor provides low-latency transmissions that can serve a wide range of applications including web browsing, ...
Defending Against Traffic Analysis in Wireless Networks through Traffic Reshaping
ICDCS '11: Proceedings of the 2011 31st International Conference on Distributed Computing SystemsTraffic analysis has been exploited by attackers to threaten user privacy in wireless networks. As an example, a user's on line activities may be exposed to strangers, even if the traffic is encrypted. However, the existing defense mechanisms against ...
Comments