Your SSD Could Be Leaking Your Browser History: Researchers Unveil ‘FROST’ Side-Channel Attack
Table of Contents
The New Frontier of Digital Fingerprinting
For years, the battle for user privacy has centered on cookies, device fingerprints, and keystroke logging. But a new research paper has revealed a far more insidious method of tracking: measuring the physical performance of your computer’s solid-state drive (SSD).
The technique, dubbed FROST (fingerprinting remotely using OPFS-based SSD timing), allows a malicious website to infer which other tabs you have open—even in different browsers—and which applications are running on your device. Unlike traditional tracking, which relies on software identifiers, FROST exploits a “side channel,” measuring the minute fluctuations in time it takes for a drive to complete a task when other processes are competing for the same hardware resources.
How the ‘Contention’ Attack Works
At its core, FROST utilizes a contention side channel. In simple terms, when your SSD is busy writing a system update or loading a heavy application, other read/write requests are slightly delayed. By precisely measuring these latencies, an attacker can create a “signature” of the device’s current activity.
The breakthrough in the FROST attack is that it operates entirely within the browser via JavaScript. It targets the Origin Private File System (OPFS), a virtual file system designed to give websites a sandboxed area to store data for complex web apps. While OPFS is intended to isolate a site’s data from the rest of the system, it does not isolate the physical hardware. The JavaScript can perform random reads from a large file in the OPFS and monitor how long those reads take.
To make sense of this noise, the researchers utilized a pretrained convolutional neural network (CNN). By feeding the timing traces into this deep-learning model, the attacker can classify the patterns and deduce exactly which website or app is causing the SSD contention.
Hardware Constraints and Limitations
While the technical implications are sobering, FROST is not yet a frictionless tool for mass surveillance. There are significant hurdles that would make a wide-scale rollout difficult to hide.
First, the attack requires a massive OPFS file—often a gigabyte or more—to be allocated on the visitor’s drive. Such a sudden spike in disk usage is likely to be flagged by system monitors or noticed by users checking their storage. Second, the attack only works if the target applications are using the same physical SSD as the browser’s OPFS file. If a professional user has their OS on one drive and their heavy apps on a separate NVMe drive, FROST cannot see that activity.
The Path to Mitigation
The research, which is scheduled for presentation at the DIMVA conference in July, was primarily demonstrated on an M2 Mac. However, the authors noted that the underlying mechanism—measuring SSD access latency via JavaScript—is equally viable on Linux, suggesting a cross-platform vulnerability.
According to the researchers, the most immediate defense for users is a simple one: close unused tabs and applications. However, the long-term solution lies with browser vendors. The authors suggest that Google, Apple, and Mozilla could mitigate this by capping the maximum size of OPFS files or introducing “noise” into the timing mechanisms to mask the contention patterns.
For now, there are no known reports of FROST being used in the wild. But as browsers evolve into full-fledged operating systems capable of running IDEs and video editors, the attack surface for these hardware-level leaks continues to grow.
