Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Over the past decades, there has been no shortage of websites using clever technologies to secretly track visitor data. Browsing history, Device fingerprintingand Keystrokes and mouse movements In real time. Even Meta and Yandex were recently caught joining the privacy free-for-all.
Websites now have a new way to spy on their visitors: by measuring minute interactions with their solid-state drives. This technology, called FROST (OPFS-based SSD Timing Remote Fingerprinting), allows sites to monitor what other sites a visitor is viewing and what applications are open on their device.
The technology, set out in A Research paperexploits A Side channela form of leakage resulting from physical manifestations such as electromagnetic emissions, data caches, or the time required to complete a task. By measuring appearances, attackers can decrypt encrypted traffic and infer other confidential data.
The attack used by FROST is known as a Side channel of competitionwhich measures the interaction of different processes that all use (or compete for) a particular resource. By measuring the timing of certain I/O operations (input and output) of the SSD drive being used by the visitor, the researchers were able to determine which websites were open in other tabs — even on other browsers — and which applications were open on the visitor’s device. FROST requires no interaction from the visitor other than opening the site hosting the attack.
“Web browsers have evolved from simple document viewers to complex platforms capable of running sophisticated applications,” the paper’s authors wrote. “Companies like Google, Microsoft, and Adobe have developed entire office suites, image and video editors, or even integrated development environments (IDEs) that run entirely within the browser.” The authors went on to note: “While these features enhance the capabilities of web applications and allow entirely new use cases, they also increase the attack surface of the browser, and some have already been shown to introduce new vulnerabilities.”
Unlike previous side-channel attacks on SSD drives, FROST works exclusively in the browser. It uses JavaScript which interacts with Offs (Native Private File System), a dedicated storage space reserved for a specific location to run code needed to complete a particular task. Websites can create a site without any visitor interaction required.
While each file system is sandboxed, meaning it is isolated from other websites and from the device system itself, JavaScript can measure I/O interactions. Then, by running those interactions through pre-trained software Convolutional neural network– A system that uses deep learning to analyze text, audio, and images – An attacker can infer the many applications and websites open on the device.
“The attacker continually measures SSD contention by performing random reads from a large OPFS file,” the researchers explained. “SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network (CNN) on these traces, an attacker can fingerprint user activity on the host system by classifying new traces using the trained model.”
This technique has its limitations. First, the OPFS file must be very large – likely a gigabyte or more. This requirement means that large-scale attacks will inevitably be detected by many users. Additionally, the OPFS file must be stored on the same SSD that the visitor is using. This is usually not a problem for tracking open websites, as the OPFS file is stored in the browser’s default location. If applications use a separate SSD drive for applications, FROST will not be able to detect these applications.
One of the best ways to prevent FROST attacks is to close tabs as soon as they are no longer needed. More experienced users can monitor the creation and size of custom OPFS files by unknown websites. Researchers have suggested ways for browser makers to close the side channel. One such way is to limit the maximum size of these files allowed. There are no indications of FROST attacks being carried out in the wild.
