Study Reveals Exploit That Lets Your Browsing History Be Spied On Using Your SSD

Almost everyone wants their internet activity to remain private. Even if you don't visit embarrassing sites, you probably want to ensure Facebook doesn't decide what ads to show you. But while you can minimize the degree to which your browser spies on your browsing history, potential hackers can use your own solid state drive (SSD) against you and learn your internet habits.

Recently, researchers at the Graz University of Technology in Graz, Austria, published a study that found hackers can potentially spy on victims without lifting a finger. All a person needs to do is visit a website lined with malicious code and own a computer with an SSD. The attack, known as Fingerprinting Remotely using OPFS-based SSD Timing (FROST), uses a File System Access API built into numerous browsers to essentially hack into the victim's SSD. FROST achieves this feat with a simple JavaScript code that measures latency (a "fingerprinting attack") via a side channel, which is a backdoor for indirect data leakage.

Prior attempts to pull off such an attack required hackers to install and run native code on a target system, but FROST removes that limitation — it only needs the browser and the aforementioned JavaScript code. According to the research paper, FROST was able to correctly identify the websites a test system visited with up to 89% accuracy. However, when used on a Mac system, the technique's spying accuracy jumped to 96%. Perhaps if you want to avoid a potential FROST attack, this is one scenario where Windows systems win out over Mac.

As previously stated, a FROST attack doesn't require the victim to do anything outside of visiting the wrong website and owning an SSD. Then the JavaScript code takes over. But what exactly does it do? How does it hijack your SSD and use it against you?

According to the Graz University research paper, FROST starts by taking control of the Origin Private File System (OPFS) and using it to create an isolated file system on the target's SSD. Depending on the browser, over 60% of disk space can be set aside for this task. The size of this file must be larger than the available RAM so random bits of read data can bounce over to the SSD instead of the page cache.

FROST relies on an SSD's high input/output (I/O) performance and low latency when compared to hard disk drives (HDDs). Unrelated activity creates its own I/O, which produces a tangible latency spike. The timing of this spike is fed through a convolutional neural network (CNN), which completes the fingerprinting by classifying new traces (records of a request's journey through a system). Of course, if the CNN is poorly trained, then it won't be able to identify many visited websites. But given the popularity of some websites (like Google and YouTube), there's a good chance any CNN can properly tag latency spikes.

Currently, FROST is little more than a proof of concept: Graz University of Technology researchers wanted to demonstrate that the vulnerability exists, as well as what it does and how it works. Hackers haven't used a FROST attack to spy on your SSD yet, but they could. Unless, of course, you take precautionary measures — these hackers aren't after your passwords, so you don't have to worry about avoiding common ways passwords are hacked (in this scenario, anyway).

If in a hypothetical future, malicious actors start using their own FROST attacks, a potential victim's first line of defense would be their own two eyes. If you keep track of your SSD and notice potentially hundreds of gigabytes disappearing, you might be the victim of a FROST. Then again, unless you like to download gargantuan games like "Call of Duty" or "Microsoft Flight Simulator," suddenly losing a sizable portion of your drive is often a surefire sign of malware in general.

Given the ubiquitous nature of the OPFS API, it's difficult (but not impossible) to find a browser that doesn't use the feature, so you can avoid a potential FROST attack by relying on OPFS API-free programs to browse the internet. Then again, Google Chrome used to be one such browser, so the Graz University researchers suggested tweaking computer systems to always ask for permission to create OPFS files. It will be annoying — you need to ensure your computer uses the File System Access API to save information directly onto your local device — but it will prevent hackers from tracking your browsing history right under your nose.