New Side-Channel Attack Uses Browser Storage to Fingerprint Devices

A new side-channel attack method called FROST uses the timing of browser storage operations on solid-state drives to create unique device fingerprints. The technique bypasses traditional privacy protections and could allow persistent tracking without user consent.

How FROST Works

FROST stands for Fingerprinting Remotely using OPFS-based SSD Timing. It exploits the Origin Private File System (OPFS), a browser API designed for high-performance local storage. By measuring how long read and write operations take on an SSD, attackers can extract subtle hardware-level variations that are unique to each device.

The attack works entirely within the browser sandbox. It requires no special permissions or plugins. The timing differences stem from physical characteristics of NAND flash memory, including wear leveling patterns and cell degradation over time.

Why This Matters

This attack undermines existing anti-fingerprinting measures in modern browsers. Privacy tools like Firefox's Total Cookie Protection and Safari's Intelligent Tracking Prevention do not block this technique because it does not rely on cookies or JavaScript APIs.

The method is particularly concerning because it is persistent. Unlike cookie-based tracking, users cannot clear their fingerprint by deleting browsing data. The fingerprint changes only if the underlying SSD hardware changes.

Browser vendors face a difficult challenge in mitigating this attack. Blocking OPFS entirely would break legitimate web applications that rely on it for offline storage and performance optimization.

Technical Details

The researchers demonstrated FROST across multiple operating systems including Windows, macOS and Linux. They tested Chrome, Firefox and Edge browsers with various SSD models from Samsung, Western Digital and Intel.

The attack achieves high accuracy in distinguishing between devices even when they use identical hardware models. The timing measurements require only a few seconds of access to a malicious webpage.

Potential Defenses

The paper suggests several mitigation strategies including adding noise to OPFS timing measurements, limiting the precision of performance timers within browser contexts and implementing rate limiting on storage operations.

Browser developers are reviewing the findings but have not announced specific countermeasures yet. Users concerned about privacy can disable JavaScript entirely or use Tor Browser which already limits many timing-based attacks by design.