Websites employ FROST to spy on users via SSD activity and detect open tabs in browsers

A new tracking technique allows websites to monitor visitors’ solid-state drive (SSD) activity. Esta methodology, called FROST (fingerprinting remote using OPFS-based SSD timing), makes it possible to detect other open websites and applications running on users’ devices. The discovery intensifies the debate about digital privacy.

The ability to measure subtle interactions with SSDs directly from the browser represents an expansion of the ways in which online browsing can be observed. Essa practice adds to a series of ingenious techniques used over the decades to track visitors’ browsing history, device fingerprints, and real-time interactions such as keystrokes and mouse movements. Empresas like Meta and Yandex, for example, have recently been singled out for participating in similar practices.

FROST: The monitoring technique via SSD

The FROST technique exploits a side channel, a form of data leakage that arises from physical manifestations including data caches or task completion times. By measuring these manifestations, attackers can infer sensitive data or, in this case, identify user activity. The method does not require any interaction from the visitor, just that the website hosting the attack is accessed.

Este attack uses a contention side channel, which evaluates the interaction of multiple processes that share or compete for the same resource. Pesquisadores were able to determine which websites were open in other tabs, including different browsers, and which applications were in use on the visitor’s device. Isso was made possible by measuring the time of certain input/output (I/O) operations of the SSD that the user was using.

Como monitoring occurs in the browser

FROST runs exclusively in the browser. JavaScript interacts with OPFS (origin private file system), a storage space allocated and reserved for a specific website, where the code necessary for a task is executed. Sites can create an OPFS without the need for direct visitor interaction, making it easier to start monitoring.

Mesmo With each file system isolated in a sandbox, separate from other websites and the device’s operating system, JavaScript can measure input/output interactions. Posteriormente, these interactions are processed by a pre-trained convolutional neural network (CNN). Este deep learning system analyzes text, audio and images, allowing the attacker to deduce which applications and websites are active on the user’s device. SSD contention, caused by user activity, generates measurable latency differences.

Limitações and challenges of the FROST technique

The FROST technique has some important limitations that may make it difficult to apply on a large scale. Primeiro, the OPFS file used for random reads needs to be extremely large, typically a gigabyte or more. Esse requirement increases the probability of detection by users and can require considerable resources.

Leia Tambem

Panasonic warns to replace line filters between 3 and 5 years of use

New codes unlock free PS5 and PS4 avatars at Days of Play 2026

Haaland’s Norway returns to the World Cup after 28 years with high expectations in Group I

Outra restriction is that the OPFS file must be stored on the same SSD that the visitor is using. Para crawls open websites, this is usually not a problem as the OPFS file is stored in the browser’s default location. However, if the applications are installed on a separate SSD, they would not be discoverable by FROST.

• Medidas recommended preventive measures:

* Fechar browser tabs as soon as they are no longer needed.
* Monitorar creation and size of OPFS files by unknown sites.
* Fabricantes browsers may limit the maximum size allowed for these files, reducing the effectiveness of the attack.

Não there is evidence that FROST attacks have been carried out in practice. The research seeks to raise awareness about vulnerability.

Pesquisas and technique performance tests

The researchers performed a full FROST attack on an Mac equipped with an M.2 processor. In tests on Linux, they demonstrated the functioning of the underlying mechanism, which involves measuring SSD access latency from JavaScript. Embora the full attack has not been performed on this platform, the primitive functionality has been proven.

Hannes Weissteiner, one of the paper’s co-authors, noted that primitive function performance is similar between macOS and Linux. Ele expects similar performance for full classification on these systems. Weissteiner also stated that, in principle, it would be possible to train a model on any system activity that reliably generates SSD accesses. Testing has not been extended to the Windows operating system.