Almost everyone wants to keep their Internet activity private. Even if you don’t visit embarrassing sites, you probably want to make sure that Facebook doesn’t decide which ads to show you. But even if you can minimize the extent to which your browser spies on your browsing history, potential hackers can use your own Solid State Drive (SSD) against you and learn about your Internet habits.
Recently, researchers from the Graz University of Technology in Austria published a study that found hackers can potentially spy on their victims without lifting a finger. All a person needs to do is visit a website full of malicious code and own a computer equipped with an SSD. The attack, known as Fingerprinting Remotely using OPFS-based SSD Timing (FROST), uses a file system access API built into many browsers to essentially hijack the victim’s SSD. FROST achieves this feat through simple JavaScript code that measures latency (a “fingerprinting attack”) through a side channel, which is a backdoor for indirect data leaks.
Previous attempts to carry out such an attack required hackers to install and run native code on a target system, but FROST removes this limitation: it only needs the browser and the aforementioned JavaScript code. According to the research paper, FROST was able to correctly identify websites visited by a test system with up to 89% accuracy. However, when used on a Mac system, the technique’s spying accuracy increased to 96%. Perhaps if you want to avoid a potential FROST attack, this is a scenario where Windows systems win out over Mac.
How FROST works
NAJA x/Shutterstock
As previously noted, a FROST attack does not require the victim to do anything other than visit the wrong website and own an SSD. Then the JavaScript code takes over. But what exactly is it for? How does he hijack your SSD and use it against you?
According to the University of Graz research paper, FROST first takes control of the Origin Private File System (OPFS) and uses it to create an isolated file system on the target’s SSD. Depending on the browser, more than 60% of disk space may be reserved for this task. The size of this file should be larger than the available RAM so that random bits of the data read can bounce to the SSD instead of the page cache.
FROST leverages the high input/output (I/O) performance and low latency of an SSD compared to hard disk drives (HDD). An independent activity creates its own I/O, which produces a tangible spike in latency. The timing of this spike is powered by a convolutional neural network (CNN), which complements the fingerprint by classifying new traces (records of a query’s journey through a system). Of course, if CNN is poorly trained, it will not be able to identify many visited websites. But given the popularity of certain websites (like Google and YouTube), there’s a good chance that any CNN can correctly identify latency spikes.
What users can do to avoid such attacks
Mf3d/Getty Images
Currently, FROST is nothing more than a proof of concept: researchers at Graz University of Technology wanted to demonstrate that the vulnerability exists, as well as what it does and how it works. Hackers haven’t yet used a FROST attack to spy on your SSD, but they could. Unless, of course, you take precautionary measures: these hackers aren’t looking for your passwords, so you don’t have to worry about avoiding common password hacking methods (in this scenario, anyway).
If, in a hypothetical future, malicious actors began using their own FROST attacks, a potential victim’s first line of defense would be their own eyes. If you’re tracking your SSD and notice hundreds of gigabytes disappearing, you might be experiencing FROST. Then again, unless you like downloading gargantuan games like “Call of Duty” or “Microsoft Flight Simulator,” suddenly losing a significant portion of your drive is often a surefire sign of malware in general.
Given the ubiquitous nature of the OPFS API, it is difficult (but not impossible) to find a browser that does not use this feature. So you can avoid a potential FROST attack by relying on programs without OPFS APIs to browse the Internet. Then again, Google Chrome was one such browser, which is why researchers at the University of Graz suggested tweaking computer systems to always ask for permission to create OPFS files. It will be annoying – you need to make sure your computer uses the File System Access API to save information directly to your local device – but it will prevent hackers from tracking your browsing history right under your nose.
