Websites Can Secretly Track You Via Your SSD

A new attack called FROST lets any website secretly track other sites and apps you open just by timing your SSD.

Researchers at Graz University of Technology have developed a new side-channel attack named FROST. This method allows a malicious website to track which other websites you visit and what applications you launch on your computer. The attack is remarkably stealthy, operating from a single, inactive browser tab using only standard JavaScript. It requires no browser extensions, no native code installation, and does not trigger any permission prompts from the user. FROST works by continuously measuring the response time of the system's Solid-State Drive (SSD). When a user opens another application or navigates to a new website, these actions create a brief period of resource competition, or "contention," on the SSD. The malicious script detects these minute timing variations, effectively creating a digital fingerprint that corresponds to specific user activities, such as opening a productivity app or visiting a banking site.

The discovery of FROST presents a significant privacy and security challenge for developers, IT teams, and business leaders. Its ability to operate without any special permissions means it can bypass many conventional security models and sandboxing techniques designed to isolate web applications. Unlike traditional malware or exploits that target software vulnerabilities, FROST leverages a physical characteristic of modern hardware, making it difficult to detect with existing antivirus or browser security tools. This technique turns the high performance of contemporary SSDs into a liability, creating an information leak that can be exploited by any website. For security teams and CTOs, this introduces a new and subtle threat vector that is not easily addressed through simple software patches. It demonstrates that even passive background tabs can pose a serious risk, exfiltrating sensitive data about user behavior without their knowledge or consent. The attack's simplicity and effectiveness underscore the growing complexity of securing systems where hardware and software interactions create unforeseen vulnerabilities that challenge established security paradigms.