Telltale SSD activity can be measured in the browser using simple JavaScript.

Over the decades, there has been no shortage of sites using clever techniques to covertly track visitors’ browsing histories, device fingerprints, and keystrokes and mouse movements in real time. Even Meta and Yandex were recently caught joining in the privacy-invasive free-for-all.

Now sites have a new way to spy on their visitors: measuring subtle interactions with their solid-state drives. The technique, named FROST (fingerprinting remotely using OPFS-based SSD timing), allows sites to monitor other sites a visitor is viewing and what apps are open on their devices.

The technique, laid out in a research paper, exploits a side channel, a form of leak resulting from physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task. By measuring the manifestations, attackers can decrypt encrypted traffic and infer other confidential data.

The attack that FROST uses is known as a contention side channel, which measures the interaction of various processes all using (or competing for) a given resource. By measuring the timing of certain I/O (input-output) operations of the SSD a visitor is using, the researchers were able to determine the websites open in other tabs—even on other browsers—and the apps that were open on the visitor’s device. FROST requires no interaction from the visitor other than opening the site hosting the attack.

  • GMac@feddit.orgEnglish
    6·
    4 hours ago

    Another reason to be aggressively blocking attempts to run JavaScript from marketing (and other non critical) domains.

      • GMac@feddit.orgEnglish
        7·
        2 hours ago

        I use noscript https://en.wikipedia.org/wiki/NoScript

        It starts with a default position of blocking everything (which breaks a lot of sites) but as you use the internet you just tell it to trust the domains that you need and permablock those you don’t. After a few weeks, you find your regular sites are taken care of.

        googletagmanager and fascistbook are obvious blocks on most sites. Same for trust pilot and the like.

        It can get more complicated when you try to buy something as that does legitimately require scripts from other services like stripe, worldpay etc. Or from shopify and the like.

        You always have the option of temporarily allowing the page to do what it wants if you just find the pagelist too overwhelming but it is worth just experimenting and reloading the page till you figure out what is necessary and what is not. Set once, and it’s done.

        Another option is to have a second browser not running noscript, that deletes all data on exit, and use that for purchasing. I use Librewolf when I want to do that and minimise fingerprinting and tracking.

        Bonus fact, most news sites with paywalls, run those paywalls with JavaScript. No script, no paywall. 😂