Websites can spy on user activity by analyzing SSD behavior

Websites have spent years collecting information about visitors through browser fingerprinting, tracking scripts, and other techniques designed to identify devices and monitor behavior. Researchers have demonstrated another method that relies on something most users would never expect a website to observe: activity on their SSD (Solid-State Drive), the storage device where applications and files are stored.

Dubbed FROST, short for Fingerprinting Remotely using OPFS-based SSD Timing, the technique allows a website to infer information about websites and applications active on a user’s system.

A browser feature becomes an attack vector

FROST is a side-channel attack, a category of attacks that extracts information from indirect signals generated by a system. In this case, the signal comes from SSD contention, which occurs when multiple programs compete for access to the same storage device.

High-level overview of the FROST attack (Source: Research paper)

By measuring the timing differences created by that competition, a website can collect information about activity occurring elsewhere on a system.

Previous SSD-based side-channel attacks required software running directly on a device. FROST moves the attack into the browser.

The technique relies on the Origin Private File System (OPFS), a browser feature that gives websites their own sandboxed storage area for saving data locally. According to the authors, the work represents the first demonstration of an attack that exploits OPFS to leak information from a victim’s system through JavaScript running in a browser.

A user only needs to visit a webpage hosting the attack code. No malware, browser extensions, elevated privileges, or software installation are required.

The authors also demonstrated that the same mechanism can be used to establish a communication channel through SSD contention.

The researchers say the findings reflect a broader shift in how web browsers are used.

“Web browsers have evolved from simple document viewers into complex platforms capable of running sophisticated applications. Companies like Google, Microsoft, and Adobe have developed full-fledged office suites, photo- and video editors, or even integrated development environments (IDEs) that run entirely within the browser,” the paper authors wrote.

“Moving applications to the web allows them to be platform independent, accessible and always up-to-date. However, this shift also introduces new security and privacy challenges,” they added.

Limitations and mitigations

The technique comes with several practical limitations. Long-running measurements require a large OPFS file, which can consume a noticeable amount of storage space. Users who monitor available disk space may be able to spot unusual storage usage associated with the attack.

FROST also depends on the targeted activity occurring on the same SSD being monitored. Website fingerprinting is less affected by this requirement because OPFS files are stored in the browser’s default location. Application fingerprinting may be less reliable on systems that use separate drives for different workloads.

The attack does not provide direct access to files stored on a device and does not bypass browser sandboxing protections.

Several mitigations are discussed in the paper. These include limiting the amount of storage available through OPFS, reducing the precision of timing information available to websites, and alerting users when websites store unusually large amounts of data.

The findings were responsibly disclosed to Google, Mozilla, and Apple before publication. The Chromium team stated that it does not consider fingerprinting attacks to be security vulnerabilities. Apple considered the attack out of scope, although it indicated that mitigations may be implemented in the future. Mozilla acknowledged the findings but had not implemented mitigations at the time of publication.