Security researchers have demonstrated a new browser-based side-channel attack that can monitor user activity by measuring subtle timing variations in SSD access, allowing malicious websites to infer which sites users visit and which applications they launch.
The attack, named FROST (Fingerprinting Remotely using OPFS-based SSD Timing), abuses the browser's Origin Private File System (OPFS) API, a feature supported by Chrome, Firefox, and Safari that allows web applications to store data locally without requesting user permissions. The researchers showed that a malicious website can use OPFS to measure storage latency and detect contention on a victim's SSD, effectively turning the browser into a sensor that can observe activity elsewhere on the system.
The research was conducted by researchers at the Graz University of Technology and Liebherr-Transportation Systems.
How the attack works
The attack begins when a victim visits an attacker-controlled website and leaves the tab open. The malicious page creates a large file in OPFS and continuously performs random reads while timing how long each read takes. When the user opens websites or launches applications, those activities generate their own SSD traffic. The resulting contention causes measurable latency changes that the attacker's code can capture and analyze.
One of the key technical challenges was bypassing operating system caching mechanisms that normally prevent repeated disk reads from reaching the SSD. Instead of trying to evict cached data, the researchers created files larger than system memory, ensuring that accesses would continue to hit the physical drive and generate measurable timing signals.
To improve accuracy, the attack site can enable cross-origin isolation policies that restore access to high-resolution timers in modern browsers, allowing more precise latency measurements.
To evaluate the technique, the researchers first built a covert communication channel between a native application and a malicious website using SSD contention as the signaling mechanism. The browser-based receiver achieved a true channel capacity of 661.63 bits per second on Linux and 891.77 bits per second on macOS, demonstrating that SSD timing signals can be measured remotely with surprising reliability.
hannesweissteiner.com
While these speeds are modest compared to conventional networking, they are more than sufficient for leaking metadata and user activity information.
Website and application fingerprinting
The researchers used the technique to identify websites and applications based solely on the SSD activity they generated.
For website fingerprinting, they collected traces from visits to the top 50 websites and trained a convolutional neural network to classify the resulting SSD timing patterns. The attack achieved an 88.95% F1 score in a closed-world setting and 86.95% in an open-world setting, indicating that many websites produce distinct storage-access signatures.
hannesweissteiner.com
The team also tested application fingerprinting against ten preinstalled macOS applications, including Safari, Maps, Music, TV, Calculator, App Store, Contacts, and System Settings. The model achieved an F1 score of 95.83%, indicating that application launches can often be distinguished by the storage activity generated during startup.
The attack works across browsers because it relies on storage activity at the operating system level rather than within a specific browser process. A malicious page running in Chrome could potentially observe activity generated by Safari or native applications on the same machine.
Browser vendors notified
The researchers disclosed their findings to Google, Mozilla, and Apple before publication. According to the paper, Chromium developers stated that fingerprinting attacks are not considered security vulnerabilities. Apple reportedly classified the issue as currently out of scope but indicated mitigations may be considered in the future, while Mozilla acknowledged the findings but has not yet implemented protections.
As potential mitigations, the researchers suggest limiting the size of OPFS storage, restricting access to high-resolution timers when OPFS is used, or requiring explicit user permission before websites can access the feature. However, they acknowledge that such measures could reduce the usefulness of OPFS for legitimate web applications.
Leave a Reply