Web browsers can spy on information via SSD access times
IT researchers have demonstrated a side-channel attack called "FROST" where browsers can spy on user behavior via SSD access times.
(Image: heise medien)
IT researchers have named an attack on privacy by measuring SSD access times “FROST”. Web browsers, for example, can spy on which websites users have visited.
The researchers use high-resolution timers that are available in web browsers today, they write in their paper. In their side-channel attack, they send files via the “Origin Private File System” API (OPFS) in JavaScript to an SSD and read them back. The resulting load on the drive causes delays when other applications also access the SSD. Attackers measure these delays and use them to recognize patterns. To achieve this, the researchers have found a way to bypass the operating system's page cache, allowing them direct measurements of SSD access times.
All of this happens within the browser sandbox – without user interaction and without needing to start local programs, directly from the web browser. They tested the attacks on Linux and macOS. Their covert channel transmitted about 660 bits per second on Linux and 892 bits per second on macOS. With these, they were able to determine with high probability on macOS which websites users had accessed (88.95 percent), and even the accessed apps with 95.83 percent.
Videos by heise
Refined Attack
Such attacks have been demonstrated before, also by researchers from TU Graz such as Daniel Gruss, Fabian Rauscher, and Jonas Juffinger, who also contributed to the FROST paper. They are apparently based on multiple apps accessing SSDs simultaneously, leading to increased latencies or blockages for other processes' requests. The researchers speak of contention. Different websites and apps exhibit quite specific access patterns and thus delays, which represent a kind of digital fingerprint. Deeper details can be found in the researchers' studies.
The IT researchers describe an attack scenario where attackers trick victims into visiting a malicious website that delivers the attack code. The web browser executes the code within the sandbox without special privileges. Attackers can thus read information about the victim's behavior from the system. The team also assumes that the website simply remains open while the victim does something else, which is quite realistic depending on the design of the attack page. Then the malicious website can determine the SSD's timing and thus ascertain which websites and apps are open.
As part of responsible disclosure, the researchers informed the browser manufacturers: Google generally does not consider fingerprinting attacks to be security vulnerabilities, Apple currently classifies FROST as outside its scope, and Mozilla has acknowledged the findings but has not yet taken countermeasures.
(dmk)
