A New Method for Website User Tracking via SSD, Named "FROST," Revealed

The history of user tracking by websites is long and complex. Techniques like eavesdropping on browsing history, generating device fingerprints, and recording keystrokes or mouse movements in real-time have continuously evolved. Recently, revelations about Meta and Yandex being involved in privacy-invasive tracking methods sent shockwaves through the industry.

Now, a new method for websites to monitor visitors has emerged, targeting hardware itself—specifically SSDs (solid-state drives).

A New Method to Infer User Activity from SSD

Behavior

This method, named “FROST,” stands for “Fingerprinting Remotely using OPFS-based SSD Timing.” Details of this approach have been disclosed in a research paper. In essence, FROST leverages JavaScript executed within browsers to measure subtle fluctuations in SSD input/output (I/O) timing, allowing inference of user activities.

What can FROST reveal? According to researchers, this method can potentially identify websites open in other browser tabs and even detect applications running on the user’s device. Notably, users merely need to visit the attacking site—no additional actions are required.

The Mechanism of “Contention Side Channel”

The attack method utilized by FROST is known as a “contention side channel.” Side-channel attacks exploit physical phenomena like electromagnetic emissions, data cache behavior, or task completion times to extract information.

Contention side channels measure interference caused when multiple processes share or compete for the same resource. In the case of SSDs, simultaneous read/write operations by multiple applications or browser tabs create delays in I/O processing. FROST captures these variations in delay to deduce what is accessing the SSD.

Traditional contention side-channel attacks on SSDs often required direct access to the device. However, FROST lowers the attack threshold by operating entirely within the browser.

OPFS: A New Attack Vector

The key functionality leveraged by FROST is “OPFS” (Origin Private File System). OPFS provides sandboxed storage areas allocated to specific website domains, allowing websites to create files without user intervention.

Each file system is sandboxed and isolated from other websites and the device’s core system. While this design aims to enhance security, researchers discovered that JavaScript executed within this sandbox can measure SSD I/O timing.

Attackers repeatedly perform random read operations on large OPFS files, continuously measuring SSD contention. User activity causes contention that manifests as measurable latency differences, enabling inference of user behavior.

Inferring User Behavior with Deep Learning

To interpret the measured timing data, FROST employs convolutional neural networks (CNNs). This deep learning technique, commonly used to analyze text, speech, and images, is applied to patterns in I/O timing.

Pre-trained CNN models analyze SSD access patterns to identify websites or applications being used by the user. In other words, raw timing data is fed into machine learning models, which extract meaningful information from subtle signal changes that humans cannot discern.

Security Risks from Expanding Browser

Functionality

The authors of the research paper highlight how browsers have evolved from simple document viewing tools into sophisticated platforms. Companies like Google, Microsoft, and Adobe have developed comprehensive office suites, photo and video editing tools, and even integrated development environments (IDEs) that operate entirely within browsers.

“These functionalities enhance web applications and enable entirely new use cases, but they also expand the attack surface of browsers,” the authors note. They also emphasize that new vulnerabilities have already been identified in these advanced browser features.

FROST exemplifies how this expanded attack surface can be exploited. While OPFS is a useful feature for legitimate web applications, it can also serve as an entry point for side-channel attacks.

Is FROST a Practical Threat?

This method is unlikely to be immediately exploited by numerous websites. FROST’s accuracy depends on factors like SSD usage, device specifications, and background processes. Even the authors acknowledge that further testing is needed to understand its real-world precision and limitations.

However, the fact that a browser-based attack method has been successfully demonstrated cannot be ignored. Without any user action, merely visiting a malicious website could compromise privacy. Combined with phishing scams or targeted attacks, its potential threat is significant.

Future Challenges

The discovery of FROST raises questions about how security design should account for hardware behavior as browser-based applications become increasingly advanced. Traditional defense mechanisms like sandboxing are insufficient against hardware-level information leakage, as this case illustrates.

Web browsers are central to modern digital life, and the expansion of their attack surfaces seems inevitable. How research like FROST impacts future browser development and security standards remains to be seen.