Summary Points
- FROST exploits browser storage features (OPFS) and SSD timing to infer visited sites and used apps remotely, without native code or permissions.
- The attack accurately fingerprints websites (86-89%) and native apps (95%) on macOS by analyzing SSD contention caused by user activity.
- Current defenses are limited; mitigating measures like size caps or timer throttling could reduce attack viability but impact performance and usability.
The Threat, Attack Techniques, and Targets
The FROST attack is a new threat that allows malicious websites to track what sites and apps a user opens. It uses JavaScript and the timing of SSD storage to gather information. The attack does not need native code, browser extensions, or permission prompts. It works by monitoring drive contention in the background while the user visits certain websites or opens specific applications. The attackers target users’ desktops and laptops, focusing on the SSD storage features available in modern browsers.
FROST exploits the Origin Private File System (OPFS), a feature added in 2023. OPFS gives each website its own hidden storage space on the disk. Normally, disk activity is hidden behind caching, but FROST creates a large file that exceeds the system’s RAM. This forces reads to land on the SSD, which can then be timed precisely. The attack leverages this timing data to identify user activity and even extract information covertly.
The attack is effective on both macOS and Linux operating systems. It can analyze the timing shifts when users visit sites or open apps, and identify them with high accuracy. The attack can also transfer data covertly between malware and malicious websites through the same timing signals.
Impact, Security Implications, and Remediation Guidance
The impact of FROST is significant because it can silently infer users’ browsing habits and app usage without their knowledge. Since it operates within the browser sandbox and requires no special permissions, many users remain unaware of this threat. The technology could compromise user privacy and enable further malicious activities.
Currently, there is limited security guidance available. Major browser vendors such as Google, Mozilla, and Apple have been informed but have not yet addressed the issue. Some protections, like closing the tab or monitoring storage sizes, can help temporarily. Linux systems that use profile-sync-daemon may also be less vulnerable due to specific RAM-based caching. However, comprehensive fixes remain under discussion.
For now, the best course of action is to stay informed through vendor updates. Users should avoid keeping suspicious or unknown tabs open and monitor their storage for unusual activity if possible. Remediation guidance should be obtained from the relevant browser vendors or security authorities to ensure comprehensive mitigation measures are implemented.
Expand Your Tech Knowledge
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Stay inspired by the vast knowledge available on Wikipedia.
ThreatIntel-V1
