Researchers from the Graz University of Technology, Austria, have published a paper on a side-channel attack that allows a malicious site to identify what other sites and applications a user has open. The attack measures the latency of SSD access through JavaScript, within a standard browser sandbox environment, without additional permissions and without any user interaction other than opening the attacking page.
The technique is called FROST, i.e. Fingerprinting Remotely using OPFS-based SSD Timing. In a test on a Mac computer, it managed to recognize visited sites with about 89 percent accuracy, while it identified running applications with about 96 percent accuracy. It is especially important that the method works through different browsers.
The FROST attack uses SSD latency for tracking
FROST uses the Origin Private File System, a browser API that allows sites to create and store files on a local disk without asking for special permission. Earlier SSD side-channel attacks generally required standard code and access to privileged kernel interfaces, while FROST removes that requirement.
The attack works by the malicious site creating a large OPFS file on the user’s SSD. Chrome and Safari allow a site to take up to 60 percent of the total disk space through OPFS, which on a 256 GB SSD means more than 150 GB. The file must be larger than the available amount of RAM, so that random 4KB reads actually hit the SSD and not the operating system cache.
When other applications or sites work with the disk, they create measurable spikes in latency. Those patterns then feed into a convolutional neural network, trained to recognize sites and apps by their I/O signature. Since the attack takes place at the level of the data storage device, it can also work when the attacking page is opened in one browser, and the user searches in another.
The researchers reported the findings to Google, Apple and Mozilla. Google does not consider fingerprinting to be a security flaw, Apple has rated the attack as currently out of scope, while Mozilla has received the findings but has not issued any fixes.
The biggest limitation of the FROST attack is the size of the required file. Most users would notice that tens or hundreds of gigabytes of space suddenly disappeared. Researchers therefore suggest limiting OPFS files to the size that can fit in system memory or introducing explicit permission to create them, reports Toms Hardware.