New Hard Drive Spy Technique Lets Websites Track You

For decades, websites have employed increasingly clever methods to secretly monitor visitors,tracking browsing histories, capturing device fingerprints, and logging keystrokes and mouse movements in real time. Even tech giants like Meta and Yandex have been caught participating in these privacy-invasive practices.

Now, a new surveillance technique gives websites another way to spy on users: by measuring subtle interactions with their solid-state drives (SSDs). Dubbed FROST (fingerprinting remotely using OPFS-based SSD timing), this method allows sites to detect which other sites a visitor is viewing and what applications are running on their device.

The technique, detailed in a recent research paper, exploits a side channel,a form of data leakage caused by physical phenomena such as electromagnetic emissions, data caches, or the time required to complete a task. By measuring these manifestations, attackers can decrypt encrypted traffic and infer other sensitive information.

FROST uses a specific type of side channel known as a contention side channel, which measures how different processes compete for the same resource. By timing input-output (I/O) operations on the visitor’s SSD, researchers could determine which websites were open in other browser tabs,even across different browsers,and which apps were active on the device. The attack requires no interaction from the visitor beyond opening the site that hosts it.

“Web browsers have evolved from simple document viewers into complex platforms capable of running sophisticated applications,” the paper’s authors wrote. “Companies like Google, Microsoft, and Adobe have developed full-fledged office suites, photo- and video editors, or even integrated development environments (IDEs) that run entirely within the browser.” They added: “While these features enhance the capabilities of web applications and allow completely novel use cases, they also increase the browser’s attack surface, and some have already been shown to introduce new vulnerabilities.”

Unlike previous contention side-channel attacks on SSDs, FROST operates entirely within the browser. It uses JavaScript that interacts with the OPFS (origin private file system),a dedicated storage space reserved for a specific website to run code needed for tasks. Websites can create such a file system without any visitor interaction.

Although each OPFS is sandboxed and isolated from other websites and the device system, the JavaScript can measure I/O interactions. By feeding these measurements through a pretrained convolutional neural network,a deep learning system that analyzes text, audio, and images,the attacker can identify various apps and websites open on the device.

“The attacker continuously measures SSD contention by performing random reads from a large OPFS file,” the researchers explained. “SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network (CNN) on these traces, the attacker can fingerprint user activity on the host system by classifying new traces using the trained model.”

The technique does have limitations. The OPFS file must be extremely large,likely a gigabyte or more,which means large-scale attacks would be noticeable to many users. Additionally, the OPFS file must reside on the same SSD the visitor is using. This is generally not an issue for tracking open websites, since the OPFS file is stored in the browser’s default location. However, if apps are stored on a separate SSD, FROST cannot detect them.

One of the simplest ways to defend against FROST attacks is to close tabs as soon as they are no longer needed. More advanced users can monitor the creation and size of OPFS files allocated by unknown websites. The researchers also proposed that browser makers could shut down this side channel, for example by limiting the maximum size of such files. There is no evidence that FROST attacks have been carried out in the wild.