ShmooCon 2025: Uncovering Covert Channels in QUIC Protocol Headers 🔍

Presented by David Cheeseman in the Built It track of ShmooCon 2025, the final ShmooCon for the convention series. This presentation explores a covert communication channel leveraging high-entropy fields in the QUIC protocol headers. With fields like connection IDs and address validation tokens, QUIC provides an ideal platform for creating channels that evade detection while conforming to protocol entropy requirements. By implementing encryption techniques and leveraging the aioquic library, this work demonstrates covert communication feasibility and discusses potential detection and mitigation strategies. This research provides critical insights into protocol exploitation by leveraging high entropy fields. David Cheeseman is a US Navy Veteran and cybersecurity professional with experience ranging from AI startups, government contractors, and fortune 50 companies where he’s currently employed. As a US Navy Veteran, he served as a Submarine Officer and Information Professional officer working with nuclear reactors, radio, cryptography, and networking. On the blue team side, he managed cybersecurity for 2 startups, one of which was a government contractor, and later worked in a fortune 50 helping to maintain services which scanned 900k+ assets internally. On the red team side, he studies Cybersecurity at Johns Hopkins University with a focus on Red Team subjects and participate in CTF competitions where he’s made podium placements in small teams and solo competitions. Code for this project can be found here: https://github.com/nuvious/quicc