FROST attack lets websites infer visited sites and apps from SSD timing

A malicious website can work out which sites you visit and which apps you open, using nothing but JavaScript and the timing of your SSD. The attack, called FROST, needs no native code, no extension, and no permission prompt. You open the page, leave the tab sitting there, and it watches the drive for contention in the background. Researchers at Graz University of Technology built it and

Thanks to the newly detailed FROST technique, telltale SSD activity can be measured in the browser using simple JavaScript.

Websites have spent years collecting information about visitors through browser fingerprinting, tracking scripts, and other techniques designed to identify devices and monitor behavior. Researchers have demonstrated another method that relies on something most users would never expect a website to observe: activity on their SSD (Solid-State Drive), the storage device where applications and files are stored. Dubbed FROST, short for Fingerprinting Remotely using OPFS-based SSD Timing, the technique allows a website to infer information about … More → The post Websites can spy on user activity by analyzing SSD behavior appeared first on Help Net Security.

Websites Have a New Way To Spy On Visitors: Analyzing Their SSD Activity - Slashdot An anonymous reader quotes a report from Ars Technica: Now sites have a new way to spy on their visitors: measuring subtle interactions with their solid-state drives. The technique, named FROST (fingerprinting remotely using OPFS-based SSD timing), allows sites to monitor other sites a visitor... hardware.slashdot.org I can't remember which thread it was where people were talking about websites' ability to track users, I might have posted it there otherwise.

An anonymous reader quotes a report from Ars Technica: Now sites have a new way to spy on their visitors: measuring subtle interactions with their solid-state drives. The technique, named FROST (fingerprinting remotely using OPFS-based SSD timing), allows sites to monitor other sites a visitor is viewing and what apps are open on their devices. The technique, laid out in a research paper (PDF), exploits a side channel, a form of leak resulting from physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task. By measuring the manifestations, attackers can decrypt encrypted traffic and infer other confidential data. The attack that FROST uses is known as a contention side channel, which measures the interaction of various processes all using (or competing for) a given resource. By measuring the timing of certain I/O (input-output) operations of the SSD a visitor is using, the researchers were able to determine the websites open in other tabs -- even on other browsers -- and the apps that were open on the visitor's device. FROST requires no interaction from the visitor other than opening the site hosting the attack. [...] Unlike previous contention side-channel attacks on SSDs, FROST runs exclusively in the browser. It uses JavaScript that interacts with the OPFS (origin private file system), an allocated storage space that's reserved for a specific site to run code needed to complete a given task. Websites can create one with no interaction required by the visitor. While each file system is sandboxed, meaning it's isolated from other websites and from the device system itself, the JavaScript can measure the I/O interactions. Then, by running those interactions through a pretrained convolutional neural network -- a system that uses deep learning to analyze text, audio, and images -- the attacker can deduce various apps and websites open on the device. "The attacker continuously measures SSD contention by performing random reads from a large OPFS file," the researchers explained. "SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network (CNN) on these traces, the attacker can fingerprint user activity on the host system by classifying new traces using the trained model." Read more of this story at Slashdot.

Telltale SSD activity can be measured in the browser using simple JavaScript.