- Published on
How to become SSD access times for digital fingerprint
- Authors
- Name
- aimode.news
- @aimode_news
“FROST” has called IT researchers an attack on privacy by measuring SSD access times. Web browsers can explore which websites users have visited.
The researchers use high-resolution timers available in the web browser nowadays, write them in their paper. In their side channel attack, they send files via the “Origin Private File System” API (OPFS) in JavaScript to an SSD and read them back. The resulting load on the drive creates delays when other applications also access the SSD. These measure the attackers and use them to identify patterns. For this, the researchers have found a way to bypass the page cache of the operating system, which allows them to measure the SSD access times directly.
This happens all within the browser sandbox – without user interaction and without local programs having to be started directly from the web browser. They tested the attacks on Linux and macOS. Her hidden channel outputs about 660 bits per second under Linux and 892 bits per second under macOS. With this, they were able to determine among macOS with high probabilities which websites users have accessed (88.95 percent), the accessed apps even with 95.83 percent.
Video by heise
Improved attack
Such attacks have already been demonstrated beforehand, also by researchers from TU Graz such as Daniel Gruss, Fabian Rauscher and Jonas Juffinger, who also participated in the FROST-Paper. They seem to be based on multiple apps accessing SSDs at the same time, leading to increased latencies or blockages in requests from other processes. The researchers talk about conflicts (contention). Different websites and apps have quite specific access patterns and thus delays, which is a kind of digital fingerprint. Further details can be found in the studies of the researchers.
As an attack scenario, the IT researchers describe that attackers bring victims to visit a malicious website that delivers the attack code. The web browser executes the code without special rights in the sandbox. The attackers can thereby read out information about the behaviour of the victim from the system. The team also reports that surfed websites remain open, while victims do something else, which is quite realistic. The malicious website can then determine the timing of the SSD and thus determine which websites and apps are open.
As part of the Responsible Disclosure, the researchers informed the browser manufacturers: Google generally does not evaluate fingerprinting attacks as vulnerabilities, Apple currently classifies FROST as outside its own scope, and Mozilla has accepted the findings, but has not yet taken any countermeasures.
(dmk)
