Researchers have developed a new way for websites to detect other open applications and websites on the device by analyzing users’ SSD activities. This technique, called FROST, is based on browser-based JavaScript codes measuring I/O interactions in the storage unit.

Although the document systems are isolated from each other, this method creates an information trail using latencies on the SSD. This information obtained can be processed with a pre-trained convolutional boundary network model and the activities on the user’s device can be classified.

Working principle and limitations of FROST attack

To implement this system, attackers create a large-sized OPFS document through the browser and always perform random reading processes. Other tasks users perform on their devices create contention on the SSD, causing measurable differences in read latencies.

For this technique to be successful, the attacker needs a large document of at least one gigabyte in size. This increases the possibility of the raid being noticed by users if it is widely implemented.

In addition, in order for the attack to occur, the relevant document must be stored on the SSD that the user actively uses. If applications are running on a different SSD, the FROST technique cannot detect these applications.

Security measures and future work

Researchers state that one of the most effective protection systems against FROST attacks is to close unneeded browser tabs. Conscious users can also take precautions by checking the size and existence of suspicious OPFS files created by the browser.

One suggested solution for browser developers is to impose strict limits on the document sizes that websites can create. In this way, it is aimed to prevent side channel attacks.

So far, there has been no evidence of FROST attacks being used in the real world. The research group ran its full offensive tests on a Mac with an M2 processor.

A similar basic mechanism was observed to work on Linux systems, but a full-scale attack was not attempted. The researchers did not conduct any random testing on the Windows operating system.

Hannes Weissteiner, one of the co-authors of the study, states that similar results are expected due to the performance similarities between macOS and Linux. Full technical details are planned to be presented at the DIMVA conference to be held in July.

How big of a threat do you think these new generation browser-based tracking systems pose to internet security?