Endangered Privacy: Large-Scale Monitoring of Video Streaming Services

Despite the widespread adoption of HTTPS for enhanced web privacy, encrypted network traffic may still leave traces that can lead to privacy breaches. One such case concerns MPEG-DASH, one of the most popular protocols for video streaming, where video identification attacks have exploited the protocol's side-channel vulnerabilities. As shown by several works in recent years, the distinctive traffic patterns generated by DASH's adaptive bitrate streaming reveal streamed content despite TLS-protection. However, these earlier studies have not demonstrated that the vulnerability remains exploitable in large-scale attack scenarios, even when making strong assumptions about network details. To that end, this work presents a protocol-agnostic system capable of identifying videos independent of network layer information, and demonstrates a practical attack over the largest dataset to date, comprising over 240,000 videos covering three entire streaming services. Using a combination of k-d tree search and time series methods, our system achieves an accuracy of over 99.5% in real-time video identification and remains effective even in scenarios involving victims behind VPNs or where Wi-Fi eavesdropping occurs. Since large-scale video identification can compromise user privacy and enable potential mass surveillance of video services, we complement our work with an analysis of the vulnerability root cause when using adaptive bitrate streaming and propose a mitigation strategy to stand against such vulnerabilities. Recognizing the lack of open-source tooling in this domain, we publish an extensive dataset of video fingerprints, network capture data, and tools to foster awareness and prompt timely solutions within the video streaming community to address these privacy concerns effectively.