SoylentNews is people
SoylentNews
Submission Preview
Researchers Say They Can Spy On Your Browsing By Measuring SSD Activity Through A Browser API
EDITORS: THIS HAS BEEN PRODUCED BY SOFTWARE UNDER DEVELOPMENT - THE CONTENT MAY REQUIRE EXTENSIVE EDITING
https://www.tomshardware.com/tech-industry/cyber-security/researchers-say-they-can-spy-on-your-browsing-by-measuring-ssd-activity-through-a-browser-api [tomshardware.com]
FROST exploits the Origin Private File System (OPFS), a browser API that lets websites create and store files on a user's local disk without prompting for permission. Previous SSD side-channel attacks [tomshardware.com] that we’ve seen require native code running through privileged kernel interfaces, but FROST eliminates that requirement.
The attack creates a large OPFS file on the victim's SSD, with both Chrome and Safari allowing a website to claim up to 60% of total disk space through OPFS, which on a 256GB drive is over 150GB. The file must exceed the system's available RAM so that every random 4 KB read hits the SSD rather than the OS’s page cache. When other activity generates its own disk I/O, it creates measurable latency spikes in the attacker's reads, and those timing patterns are fed into a convolutional neural network trained to recognize specific websites and applications by their I/O signatures.
Because the contention occurs at the storage level, the attack works across browsers; running the attacker page in Chrome while the victim browsed in Safari showed only a 3.38% throughput difference versus a same-browser attack.
The full fingerprinting attack was only tested on an M2 Mac Mini with 8GB of RAM and a 256GB SSD. On Linux, the researchers confirmed they could measure SSD latency from the browser, but didn’t run the full fingerprinting classification, and Windows wasn’t tested at all. The OPFS file must also reside on the same physical SSD as the monitored activity, which isn’t guaranteed on multi-drive workstations.
By far the biggest barrier to this attack is the large file size; most people will notice tens or hundreds of gigabytes suddenly disappearing, but the researchers propose mitigations, including capping OPFS file sizes to fit within system memory or requiring explicit permission for OPFS file creation. Given that Google doesn’t classify fingerprinting as a security issue [tomshardware.com], browser-level fixes are unlikely in the near term.
Luke James is a freelance writer and journalist. Although his background is in legal, he has a personal interest in all things tech, especially hardware and microelectronics, and anything regulatory.
