A new technique allows sites to monitor other sites a visitor is viewing and what apps are open on their devices by measuring interactions with solid-state drives.

Researchers have discovered a new way for websites to spy on their visitors by measuring subtle interactions with their solid-state drives. The technique, named FROST, allows sites to monitor other sites a visitor is viewing and what apps are open on their devices. This is done by exploiting a side channel, which is a form of leak resulting from physical manifestations such as electromagnetic emanations or the time required to complete a task.

How FROST Works

FROST uses a contention side channel, which measures the interaction of various processes all using a given resource. By measuring the timing of certain I/O operations of the SSD a visitor is using, the researchers were able to determine the websites open in other tabs and the apps that were open on the visitor’s device. FROST requires no interaction from the visitor other than opening the site hosting the attack. It uses JavaScript that interacts with the OPFS, an allocated storage space reserved for a specific site to run code needed to complete a given task.

Limitations and Prevention

The technique has its limitations, including the requirement for an extremely large OPFS file, likely a gigabyte or more. This means that attacks at scale would inevitably be detected by many users. To prevent FROST attacks, users can close tabs as soon as they’re no longer needed or monitor the creation and size of OPFS files allocated by unknown websites. The researchers proposed ways for browser makers to shut down the side channel, such as limiting the maximum size of such files that are allowed.