Netflix User Privacy is Vulnerable to Passive Traffic Analysis Attacks

US Academics are concerned over how Netflix users may be the victims of passive traffic analysis attacks. Even though the popular video streaming platform recently integrated HTTPS support, that measure will do little to protect users. In fact, any assailant can target a random user and capture their traffic. Doing so would give the assailant insight as to what users are watching, which is a direct invasion of privacy.

Spying On Netflix Users Is Troublesome

It appears Netflix users may be subject to passive traffic analysis attacks. While most people may not worry about an unknown assailant spying on their watching habits, it is not something that should be underestimated by any means. In fact, this should not even be possible, considering Netflix recently introduced an HTTPS upgrade for all video watching activity. Unfortunately, it appears this countermeasure will do little good.

The potential flaw was first discovered by West Point’s US Military Academy researchers. According to their findings, an assailant can easily find out what anyone is watching on Netflix at any given time. They also developed a proof of concept system which would prove the vulnerability is very real. Since Netflix delivers content over the TCP protocol, assailants could passively analyze traffic by looking at the TCP/IP headers.

As part of their research, the two researchers put together a database containing several thousand videos available on Netflix. They were able to determine which video is which with nearly 100% accuracy by using the passive traffic analysis method. It is impossible to be 100% accurate in this regard, a 99.99% success rate is nothing to sneeze at. Moreover, it appears this system works even better as more information is randomized.

It would appear two of the technologies used by Netflix to stream video make it possible for assailants to analyze platform traffic. Both technologies leak small portions of metadata every time a video is transmitted over the platform. Even though Netflix’s upgrade to HTTPS should prevent traffic analysis from happening, it appears that is not the case right now. Deep packet inspection is not possible, yet a passive traffic analysis attack can’t be prevented.

People may be wondering why this is such a big problem, as it seems impossible for attackers to do anything useful with the information. Exposing Netflix users’ privacy – inadvertently – is not something that should be overlooked by any means. The company acknowledges passive traffic analysis remains a big problem, yet they can’t do much about it when using HTTPS to stream video. Netflix takes consumer privacy very seriously, that much is certain.

It is also important to note this issue is not specific to Netflix by any means. Any video streaming platform relying on HTTPS will suffer from the same vulnerability. Streaming services should focus on solving these privacy-related issues as soon as possible. Doing so is much easier said than done, though. Rest assured Netflix and other companies will continue to look into possible solutions moving forward.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.