Researchers demonstrate FROST attack allowing browser-based SSD surveillance
A study presented by researchers ahead of the DIMVA conference reveals how websites can monitor open tabs and running applications by measuring solid-state drive latency through JavaScript.
Researchers have unveiled a new side-channel attack named FROST, which enables websites to monitor a visitor’s device activity by measuring subtle timing variations in solid-state drive input-output operations. The technique, detailed in a research paper, allows attackers to infer which websites are open in other browser tabs and which applications are running on the user’s device. The attack exploits contention side channels by measuring the time required for various processes to access a shared resource, specifically the SSD.
The FROST method operates exclusively within the browser environment, distinguishing it from previous contention side-channel attacks that typically required external software. It utilises JavaScript to interact with the origin private file system (OPFS), an allocated storage space reserved for a specific site. Websites can create an OPFS file without requiring any interaction from the visitor. Once established, the malicious script continuously performs random reads from a large OPFS file to measure SSD contention caused by other user activities, resulting in measurable latency differences.
To interpret these timing variations, the researchers employed a pretrained convolutional neural network. This deep learning system classifies user activity traces, allowing the attacker to deduce the specific applications and websites active on the host system. The research was conducted on an M2 Mac, where the full attack was successfully demonstrated. The authors also showed that the underlying primitive of measuring SSD access latency traces from JavaScript functions on Linux, though the full classification attack was not run on that platform.
The attack requires no user interaction beyond visiting the malicious site. However, it faces significant practical limitations. The OPFS file must be extremely large, likely a gigabyte or more, which could aid detection by users monitoring file sizes. Furthermore, the technique is limited to detecting applications stored on the same SSD as the OPFS file; it cannot identify apps using a separate drive. There are currently no indications that FROST attacks have been performed in the wild.
Web browsers have evolved from simple document viewers into complex platforms capable of running sophisticated applications, such as office suites and integrated development environments. This expansion increases the browser’s attack surface and introduces new vulnerabilities. The researchers proposed that browser makers could mitigate the risk by limiting the maximum size of OPFS files or shutting down the side channel entirely. Until such measures are implemented, users are advised to close tabs promptly and monitor the creation of large files by unknown websites.
