An anonymous reader has shared a report detailing a new technique called FROST (fingerprinting remotely using OPFS-based SSD timing) that allows websites to track visitors by analyzing their solid-state drive (SSD) interactions. This method exploits a side channel created by measuring the time taken for various input-output operations on the SSD, enabling attackers to identify other websites and applications open on a user’s device, even across different browsers. FROST operates within the browser using JavaScript that interacts with an allocated storage space known as the origin private file system (OPFS), requiring no user interaction beyond visiting the malicious site. By utilizing a convolutional neural network trained on timing data from SSD operations, attackers can classify and fingerprint user activity based on latency differences caused by SSD contention.
Why It Matters
This development raises significant privacy concerns as it introduces a novel method for tracking user behavior without consent. Historically, web tracking has relied on cookies and other visible identifiers, but FROST represents a more covert approach by leveraging hardware interactions that users cannot easily detect. As web technologies evolve, the potential for such side-channel attacks highlights vulnerabilities in digital privacy that may not have been previously considered, emphasizing the need for stronger safeguards against unauthorized data collection. Understanding these tactics is crucial for users and developers to mitigate risks associated with emerging tracking technologies.
Want More Context? 🔎
