New FROST attack uses SSD drives to spy on browsing history, especially on Apple Macs

A potential ‘hacker’ could use the user’s SSD hard drive to learn their browsing habits with the new hacking technique called FROST and that is more likely to be successful on Apple Macs.

Researchers from the Graz University of Technology (Austria) have published a study stating that hackers could spy on browsing history without requiring the installation of malicious software on the PC of the user, since ‘Fingerprinting Remotely using OPFS-based SSD Timing'(FROST) works when the victim visits a website that executes malicious JavaScript code.

According to the researchers, FROST was able to correctly identify the websites the user visited with 89 percent accuracy, while on a Mac this technique reaches 96 percent success facing the same scenario on a Windows system.

FROST uses a modern API built into many browsers which is known as Origin Private File System (OPFS). This Origin Private File System makes web ‘apps’ read and write files directly on the user’s device with extremely high performance (online photo and video editors, web games, etc.).

The attack uses this API to create an isolated file system on the SSD of the user (which typically uses more than 60% of disk space as one of the traits to identify this type of cyberattack) to measure fluctuations and latency in read and write performance.

This measurement of time variations and latency spikes generated by SSD activity is processed with a convolutional neural network (which is a type of artificial intelligence) to achieve the attacker’s final objective, which is to know the web pages that the user has visited.

It all starts from the neural network’s ability to identify those websites, and It performs better if the user visits Google or YouTube websitesunlike doing it on a small website that hardly requires any effort on the hard drive. This is because the AI ​​’knows’ how the SSD reacts when the Google search engine is loaded or a video is played.

Accessing popular websites generates such large and unique latency spikes in the SSD that they leave an unmistakable “fingerprint” for the FROST technique to perfectly identify the user’s browsing history.

For now, according to the Graz researchers, FROST It’s little more than a proof of concept.although they affirm that the vulnerability exists. That is, at the moment the hackers have not used a FROST attack to spy on SSD drives.

Two ways are suggested to defend against this type of FROST attack, although one is more of a way to detect it. The warning sign is the sudden and massive loss of hundreds of gigabytes on the hard drive. For example, it is as if the Call of Duty game was suddenly installed on the PC.

The second recommendation is that the browser always ask the user for permission before creating OPFS files, Although this possibility does not currently exist in most browsers, like those of Google, Apple and Microsoft.

These findings, before their publication, were shared with Google, Mozilla and Apple. According to the document, Chromium developers stated that ‘fingerprinting’ attacks are not considered security vulnerabilities, while Apple classified the problem as out of scope (although it could be considered in the future) and Mozilla acknowledged the findings, but without implementing protections.