Websites have a new way to spy on visitors: Analyzing their SSD activity
Source: Ars Technica
Overview
Researchers have demonstrated a new side‑channel attack that allows a website to infer which applications and other websites are open on a visitor’s device by measuring SSD activity from JavaScript. The method leverages a pretrained convolutional neural network (CNN) to classify latency traces generated by SSD contention.
How the Attack Works
- File system sandboxing – Each website’s file system is isolated from other sites and from the operating system, but JavaScript can still perform I/O operations.
- Measuring SSD contention – The attacker creates a large OPFS (Origin‑Private File System) file and repeatedly performs random reads. User activity that accesses the same SSD introduces measurable latency variations.
- Training a CNN – By feeding these latency traces into a CNN, the model learns to associate specific patterns with particular user activities (e.g., opening certain apps or websites).
- Fingerprinting – Once trained, the model can classify new latency traces and infer the victim’s current activity.
“The attacker continuously measures SSD contention by performing random reads from a large OPFS file. SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network (CNN) on these traces, the attacker can fingerprint user activity on the host system by classifying new traces using the trained model.” – Researchers
Limitations
- File size requirement – The OPFS file must be very large (≈ 1 GB or more). Deploying such files at scale would likely be noticed by users.
- Same‑drive constraint – The OPFS file must reside on the same SSD that the victim is using. While this is usually true for browser‑stored files, it limits detection of activity on secondary drives.
- Platform coverage – The full attack was demonstrated only on an M2 Mac. Linux was shown to support the primitive (latency measurement), but the complete attack was not executed. No tests were performed on Windows.
Mitigations
- Close unused tabs – Shutting tabs promptly reduces the window for measurement.
- Monitor OPFS usage – Advanced users can watch for unusually large OPFS files created by unknown sites.
- Browser‑level defenses – Proposed countermeasures include imposing strict limits on the maximum size of OPFS files that can be allocated.
There are currently no known instances of this attack being used in the wild.
Experimental Results
- MacOS (M2) – Full Frost attack successfully fingerprinted user activity.
- Linux – Demonstrated that JavaScript can capture SSD latency traces, suggesting comparable performance for a full attack, though it was not fully implemented.
“Since the performance of the primitive is similar between macOS and Linux, we expect similar performance for the full classification,” said co‑author Hannes Weissteiner.
Further Reading
- The original research paper (linked in the source) provides extensive technical details.
- The work is scheduled for presentation at the upcoming DIMVA conference in July.