On Covert Channels Using QUIC Protocol Headers
David Cheeseman
ShmooCon XX (Final) · Day 2 · Build It
In this ShmooCon talk, David Cheeseman, a Johns Hopkins Master's student and cybersecurity professional, delved into the intriguing world of **covert channels**, specifically demonstrating how he engineered one using the **QUIC (Quick UDP Internet Connections)** protocol headers. The presentation, born from a two-week academic assignment, showcases an innovative method for surreptitious communication, leveraging a protocol designed for efficient and secure web traffic. Cheeseman's work highlights a critical area of concern for network defenders: the potential for seemingly benign, high-entropy fields within modern protocols to be repurposed for malicious activities such as **command and control (C2)** or **data exfiltration**.
AI review
This talk presents a solid, well-implemented proof-of-concept for a covert channel utilizing the high-entropy connection IDs within the QUIC protocol. The speaker demonstrates a clear understanding of covert channel theory and QUIC internals, developing a custom key exchange and data exfiltration mechanism. The practical relevance is high given QUIC's widespread adoption, and the speaker's honest self-critique of the limitations and potential detection methods adds significant value.