Researchers say they can spy on your browsing by measuring SSD activity through a browser API — claim FROST attack requires no permissions or user interaction to identify which apps and websites you're using | Tom's Hardware
Skip to main content
Unlock world-class roadmaps & trusted Bench data. See More
× Unparalleled insights. Industry analysis. Insider access. Tom's Hardware Premium equips you with world-class coverage and detailed insights into the evolving hardware landscape.
✓Full access to our trusted Bench database: Access granular performance data instantly. ✓Exclusive hardware roadmaps: Peer into the future of the hardware industry. ✓Daily news analysis: Dive deep into the biggest stories.
Subscribe to our annual plan for just $29
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Contact me with news and offers from other Future brands
Receive email from us on behalf of our trusted partners or sponsors
By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
You are now subscribed Your newsletter sign-up was successful
An account already exists for this email address, please log in.
(Image credit: Tom's Hardware)
Copy link
X
Share this article
8
Join the conversation
Follow us
Add us as a preferred source on Google
Newsletter
Subscribe to our newsletter
Security researchers at Graz University of Technology in Austria have published a paper describing a side-channel attack that lets a malicious website identify what other sites and apps a visitor has open by measuring SSD access latency through JavaScript inside a standard browser sandbox. The technique, called FROST (Fingerprinting Remotely using OPFS-based SSD Timing), correctly identified visited websites with roughly 89% accuracy and running applications with roughly 96% accuracy on a test Mac, requires nothing from the victim beyond visiting the attacker's page, and works across different browsers.FROST exploits the Origin Private File System (OPFS), a browser API that lets websites create and store files on a user's local disk without prompting for permission. Previous SSD side-channel attacks that we’ve seen require native code running through privileged kernel interfaces, but FROST eliminates that requirement.The team disclosed their findings to Google, Apple, and Mozilla: Google said it doesn’t consider fingerprinting a security vulnerability, Apple called the attack "currently out of scope," and Mozilla acknowledged the findings without implementing fixes.Latest Videos FromThe attack creates a large OPFS file on the victim's SSD, with both Chrome and Safari allowing a website to claim up to 60% of total disk space through OPFS, which on a 256GB drive is over 150GB. The file must exceed the system's available RAM so that every random 4 KB read hits the SSD rather than the OS’s page cache. When other activity generates its own disk I/O, it creates measurable latency spikes in the attacker's reads, and those timing patterns are fed into a convolutional neural network trained to recognize specific websites and applications by their I/O signatures.Because the contention occurs at the storage level, the attack works across browsers; running the attacker page in Chrome while the victim browsed in Safari showed only a 3.38% throughput difference versus a same-browser attack.The full fingerprinting attack was only tested on an M2 Mac Mini with 8GB of RAM and a 256GB SSD. On Linux, the researchers confirmed they could measure SSD latency from the browser, but didn’t run the full fingerprinting classification, and Windows wasn’t tested at all. The OPFS file must also reside on the same physical SSD as the monitored activity, which isn’t guaranteed on multi-drive workstations.By far the biggest barrier to this attack is the large file size; most people will notice tens or hundreds of gigabytes suddenly disappearing, but the researchers propose mitigations, including capping OPFS file sizes to fit within system memory or requiring explicit permission for OPFS file creation. Given that Google doesn’t classify fingerprinting as a security issue, browser-level fixes are unlikely in the near term.Stay On the Cutting Edge: Get the Tom's Hardware NewsletterGet Tom's Hardware's best news and in-depth reviews, straight to your inbox.Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
TOPICS
See all comments (8)
Luke JamesContributorLuke James is a freelance writer and journalist. Although his background is in legal, he has a personal interest in all things tech, especially hardware and microelectronics, and anything regulatory.
8 Comments
Comment from the forums
On Linux, the researchers confirmed they could measure SSD latency from the browser, but didn’t run the full fingerprinting classification, and Windows wasn’t tested at all.Not good
Reply
Wait, browsers let any website to consume a huge amount of local disk space without any user approval? This sounds bad on its own.
Reply
I'm assuming Optane wouldn't have this issue since it effectively has no variation in access time? https://cdn.mos.cms.futurecdn.net/WXcTLyrFcqp88UV5cQZg9G-1200-80.png.webp
Reply
If a browser is using 100% of my ram, then proceeds to fill up most of my OS drive so that if I were using NAND, it would be running slow for an SSD, that browser is getting closed before I even open the task manager because it is running like complete trash. I don't think most have recent experience trying to do things online when the page is running off of your hard drive. I have some old 2GB ram pc sticks and a tablet and running them off of a hard drive instead of ram is broken pc slow.
Anyone will notice in short order if this exploit is being applied.
And SSD performance varies significantly in latency depending on a decent number of factors. (brand, model, CPU+ PCIe characteristics, Windows power plan, Windows version with low latency mode, native NVME enablement, SSD temp, adblock enabled, browser and version used, etc.) How will they standardize for every scenario to know Toms, youtube video x, russian propaganda site or whatever else you are watching?
Macs have very standardized hardware and controlled operating systems. DIY PCs aren't Macs and have way more variability be they running Windows or Linux.
I'm more worried that MS will spy and sell my info than having some system performance trashing hack will slip by unnoticed.
But putting a stop to "the Origin Private File System (OPFS), a browser API that lets websites create and store files on a user's local disk without prompting for permission." doesn't sound like a bad thing.
And yes, my OS drive is Optane but that might also be hackable because it should be very consistent in how long it takes to read files. Good thing those drives are fairly rare.
Reply
derekullo said:I'm assuming Optane wouldn't have this issue since it effectively has no variation in access time? https://cdn.mos.cms.futurecdn.net/WXcTLyrFcqp88UV5cQZg9G-1200-80.png.webpThats why they stopped making them.
Reply
derekullo said:I'm assuming Optane wouldn't have this issue since it effectively has no variation in access time? And the actual consumer market for those was....crickets.
Reply
I think the overlooked part here is "JavaScript" No one should run that, ever.
Reply
I run Firefox with the following extensions to provide a baseline level of protection: https://i.imgur.com/FNe9Ni6.png Some special entities deserve special attention. When I really do not like a site, I am going out of my way to put my foot down with restricting permissions. And the likes of Meta are definitely getting no rights. https://i.imgur.com/bIyb4Ch.png The NoScript extension defaults to “no scripts, no media, no frames, no fonts, etc.” Any rights a domain gets is a conscious decision I make on first visit—guilty until deemed innocent. https://i.imgur.com/Vw4ctwl.png And you cannot get this whole package with Google Chrome or Microsoft Edge, so ditch them..
Reply
View All 8 Comments
Show more comments