The topic Researchers say they can spy on your browsing by measuring SSD activity through a… is currently the subject of lively discussion — readers and analysts are keeping a close eye on developments.
This is taking place in a dynamic environment: companies’ decisions and competitors’ reactions can quickly change the picture.
The technique correctly identified visited websites with roughly 89% accuracy and running applications with roughly 96% accuracy on a test Mac
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
Security researchers at Graz University of technologies in Austria have published a paper describing a side-channel attack that lets a malicious website identify what other sites and apps a visitor has open by measuring SSD access latency through JavaScript inside a standard browser sandbox. The technique, called FROST (Fingerprinting Remotely using OPFS-based SSD Timing), correctly identified visited websites with roughly 89% accuracy and running applications with roughly 96% accuracy on a test Mac, requires nothing from the victim beyond visiting the attacker’s page, and works across different browsers.
FROST exploits the Origin Private File system (OPFS), a browser API that lets websites create and store files on a user’s local disk without prompting for permission. Previous SSD side-channel attacks that we’ve seen require native code running through privileged kernel interfaces, but FROST eliminates that requirement.
The team disclosed their findings to Google, Apple, and Mozilla: Google said it doesn’t consider fingerprinting a security vulnerability, Apple called the attack “currently out of scope,” and Mozilla acknowledged the findings without implementing fixes.
The attack creates a large OPFS file on the victim’s SSD, with both Chrome and Safari allowing a website to claim up to 60% of total disk space through OPFS, which on a 256GB drive is over 150GB. The file must exceed the system’s available RAM so that every random 4 KB read hits the SSD rather than the OS’s page cache. When other activity generates its own disk I/O, it creates measurable latency spikes in the attacker’s reads, and those timing patterns are fed into a convolutional neural network trained to recognize specific websites and applications by their I/O signatures.
Because the contention occurs at the storage level, the attack works across browsers; running the attacker page in Chrome while the victim browsed in Safari showed only a 3.38% throughput difference versus a same-browser attack.
The full fingerprinting attack was only tested on an M2 Mac Mini with 8GB of RAM and a 256GB SSD. On Linux, the researchers confirmed they could measure SSD latency from the browser, but didn’t run the full fingerprinting classification, and Windows wasn’t tested at all. The OPFS file must also reside on the same physical SSD as the monitored activity, which isn’t guaranteed on multi-drive workstations.
By far the biggest barrier to this attack is the large file size; most people will notice tens or hundreds of gigabytes suddenly disappearing, but the researchers propose mitigations, including capping OPFS file sizes to fit within system memory or requiring explicit permission for OPFS file creation. Given that Google doesn’t classify fingerprinting as a security issue, browser-level fixes are unlikely in the near term.
Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox.
Follow Tom’s Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
Luke James is a freelance writer and journalist. Although his background is in legal, he has a personal interest in all things tech, especially hardware and microelectronics, and anything regulatory.
