A newly identified threat, known as the FROST attack, allows malicious websites to monitor which sites you visit and apps you use by analyzing SSD timing. This sophisticated method, developed by researchers from Graz University of Technology, operates using JavaScript without requiring native code or special permissions.
Mechanism of the FROST Attack
FROST functions by exploiting the Origin Private File System (OPFS), a browser feature designed to help web applications store files locally. By creating files that exceed the device’s RAM, FROST forces the system to read directly from the SSD, allowing attackers to measure timing discrepancies. These discrepancies can reveal activity when a user opens websites or applications, which the attacker’s neural network can identify with high accuracy.
This attack is a progression from previous methods like the Secret Spilling Drive, which required native code and lower-level system access. By running entirely within the browser’s sandbox, FROST transforms a local threat into a remote one, broadening its potential impact.
Impact and Accuracy
The precision of FROST is notably high. Tests on macOS revealed an F1 score of 88.95% for identifying the top 50 websites during closed-world tests, and 86.95% in open-world scenarios involving 300 unfamiliar sites. When targeting ten native macOS applications, the accuracy reached 95.83%. Additionally, the technique can serve as a covert communication channel, although it’s currently limited to activities occurring on the same drive as the OPFS file.
While the attack has been verified on macOS, its full capabilities remain untested on other platforms. The approach primarily affects single-drive systems, as multi-drive setups can obscure activity occurring on different drives.
Current Defenses and Future Outlook
As of now, there are limited defenses against FROST. Although Google, Mozilla, and Apple have been informed, responses vary from acknowledgment to considering future mitigations. Users can mitigate risk by closing suspect browser tabs and monitoring for large unexplained files. However, the primary solution lies with browser developers, who need to implement measures like OPFS size limits or enhanced permission protocols.
The debate persists on whether such tracking capabilities are a flaw or an inherent feature of modern browser design. The researchers express concern over the growing trend of browsers granting web apps extensive access to hardware, leading to increased potential for privacy breaches. Monitoring this pattern is crucial for future cybersecurity efforts.
