New Attack Spies Using SSDs

A new browser-based attack called FROST can spy on your activity across websites and apps by measuring your SSD's performance.

Researchers have detailed a new browser-based spying technique called FROST. The method allows a malicious website to monitor a user's activity by analyzing the performance of their solid-state drive (SSD). It works by using standard web APIs to perform rapid read/write operations. By measuring the time these operations take, the website can detect subtle delays caused by other applications or browser tabs accessing the SSD. This timing information acts as a side-channel, revealing what else is running on the user's computer without needing special permissions or exploiting a traditional vulnerability.

The primary concern with FROST is its ability to compromise user privacy. An attacker could use this technique to create a fingerprint of a user's browsing habits, identifying which other websites they have open or which desktop applications are active. Because it leverages legitimate browser features, it bypasses many conventional security measures. This poses a challenge for developers and security teams who rely on the browser's sandboxing model to isolate websites from each other and the underlying system. The attack shows how benign web standards can be combined to extract sensitive information.

As a proof-of-concept, FROST highlights the continuous need for vigilance in web API design. Browser developers and standards bodies will likely need to evaluate the implications and consider potential mitigations. These could include introducing timing noise or further restricting access to high-precision performance measurements to prevent such fingerprinting methods from being effective in the wild.

This is a novel, browser-based side-channel attack that bypasses traditional sandboxing by using standard web APIs. It poses a significant privacy risk by allowing websites to monitor user activity across tabs and applications without requiring special permissions.

This attack could undermine user trust in web applications. For businesses handling sensitive data, the risk of cross-site information leakage, even indirectly, could have compliance and reputational implications. It highlights a new threat vector that security teams must consider.