Full Report
Thanks to the newly detailed FROST technique, telltale SSD activity can be measured in the browser using simple JavaScript.
Analysis Summary
# Tool/Technique: FROST (Fingerprinting Remotely using OPFS-based SSD Timing)
## Overview
FROST is a novel browser-based side-channel attack technique that exploits the performance characteristics of Solid State Drives (SSDs). By using simple JavaScript to measure the time it takes to perform disk operations, a malicious website can infer a user's activity on other websites and monitor what applications are currently open on the host device. It relies on "contention," where the SSD's shared resources create measurable latency when multiple processes (the browser vs. other apps) access the drive simultaneously.
## Technical Details
- **Type:** Technique / Side-Channel Attack
- **Platform:** OS-agnostic; affects modern web browsers (Chrome, Edge, Opera) supporting the Origin Private File System (OPFS).
- **Capabilities:** Tracking browsing history, cross-site monitoring, application fingerprinting, and device de-anonymization.
- **First Seen:** Publicly detailed in June 2026 (Research paper context).
## MITRE ATT&CK Mapping
- **[TA0007 - Discovery]**
- [T1202 - Indirect Command Execution] (Via Browser API)
- [T1497.001 - Virtualization/Sandbox Evasion: System Checks]
- **[TA0011 - Command and Control]**
- [T1032 - Standard Cryptographic Protocol] (Potential for side-channel decryption)
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
## Functionality
### Core Capabilities
- **OPFS Exploitation:** Uses the Origin Private File System (OPFS) API to write and read data rapidly to create a "baseline" of SSD performance.
- **Contention Monitoring:** Measures micro-delays in JavaScript execution timing. If another application or browser tab writes to the disk, the SSD controller becomes busy, causing a measurable spike in the FROST script's timing.
- **Activity Inference:** By analyzing the patterns of disk I/O, the technique can identify the "signature" of specific websites loading or specific software (like Slack, Spotify, or Teams) performing background tasks.
### Advanced Features
- **Cross-Site Tracking:** Allows a malicious site to detect if a user is simultaneously logged into sensitive sites (e.g., banking or healthcare portals) by identifying their unique disk-write patterns.
- **Hardware Fingerprinting:** SSDs have unique wear patterns and controller behaviors, which FROST can use to create a persistent hardware ID that survives cookie clearing or VPN usage.
## Indicators of Compromise
- **File Hashes:** N/A (Script-based attack executed in-memory/browser).
- **File Names:** N/A.
- **Registry Keys:** N/A.
- **Network Indicators:** Data exfiltration potentially sent to various analytics or attacker-controlled domains (e.g., `api.example-tracker[.]com`).
- **Behavioral Indicators:**
- High-frequency calls to `navigator.storage.getDirectory()` and related OPFS file handle operations.
- Unusual sustained disk I/O originating from a single browser tab without a clear functional purpose (e.g., video editing or large file downloads).
## Associated Threat Actors
- **Academic Researchers:** (Initial discovery: Hannes Weissteiner et al.)
- **AdTech Companies:** Potential early adopters for fingerprinting.
- **State-Sponsored Actors:** Likely to use for targeted de-anonymization of users visiting specific "watering hole" sites.
## Detection Methods
- **Behavioral Detection:** Monitoring for scripts that perform excessive, rapid-fire small writes/reads to the OPFS without user interaction.
- **Browser-Level Telemetry:** Modern browsers can implement "fuzzing" or adding jitter to high-resolution timers (like `performance.now()`) to make micro-timing measurements unreliable.
- **EDR/AV:** Detection of browser processes exhibiting high contention or anomalous disk access patterns.
## Mitigation Strategies
- **Browser Updates:** Ensure browsers are updated to versions that include mitigations for high-resolution timing attacks.
- **Disabling OPFS:** Where high security is required, disabling or restricting the Origin Private File System API via browser flags or enterprise policy.
- **Privacy Extensions:** Use extensions that neutralize or add noise to browser fingerprinting attempts.
- **Site Isolation:** Use "Strict Site Isolation" features to ensure processes are separated, though this may not fully prevent hardware-level hardware contention measurements.
## Related Tools/Techniques
- **Website Fingerprinting:** Traditional techniques using packet size and timing.
- **Cache-Attack:** Side-channels targeting CPU caches (Meltdown/Spectre style).
- **AudioContext Fingerprinting:** Using the web audio API to identify hardware signatures.