- Joined
- 31.10.19
- Messages
- 1,727
- Reaction score
- 5,728
- Points
- 113

Scientists from Graz University of Technology in Austria published a research paper in which they proposed a sufficiently effective method for tracking a user through a browser. The most interesting feature of their method, called FROST, is the use of a solid-state drive (SSD) as the tracking mechanism. Without going into technical details, the researcher's proposed attack looks like this. An attacker lures the victim to a prepared website. While that site remains open, the attacker can see which programs the user launches and which web pages the user opens. How is this possible at all? The first suspect is, of course, the browser. In modern browsers, each website is opened in an isolated container and, as a rule, has no access to neighboring tabs or even to computer resources. There are regularly exceptions to this rule, but that’s not the topic here. The FROST attack assumes that the browser works normally, with all security measures enabled. It uses a standard browser feature called Origin Private File System. It gives a site its own virtual file system for storing data. Although it is isolated, the data ultimately gets written to the same SSD that other programs and websites also use. It turns out that if a malicious page continuously accesses the SSD, then by measuring the delays when accessing data, it's possible to infer what else is happening on the computer. Before moving on to a more detailed study of the method, let’s take a short theoretical detour.
A bit about side-channel attacks:
A bit about side-channel attacks:
The term "side channels" implies observing the operation of a computer (or even a specific chip) implicitly. Instead of intercepting information exchanged directly, one can analyze how the power consumption of the electrical circuitry changes, the temperature of individual components, monitor electromagnetic radiation and so on. As a result, there is a theoretical possibility to eavesdrop on conversations in a room using a computer mouse - vibrations caused by sound could be captured by an optical sensor. By observing changes in CPU frequency, one could steal encryption keys. Even a simple LED in a checkpoint reader might emit enough data about the device’s operation for an attacker to make a copy of a smart card. The advantage of such implicit data leakage mechanisms is precisely that they are implicit - device creators often do not account for them when building security systems. The disadvantage is also obvious: extracting information through a mechanism that was not intended for this is often difficult, slow and labor-intensive. The Austrian researchers worked with a subtype of side-channel attack known as a contention side channel - that is, leakage occurs under conditions of competition for a specific resource. In this case, the competition is over the SSD’s bandwidth.
FROST Attack Details
FROST Attack Details
Suppose the SSD contains a sufficiently large file filled with random data. Some process accesses these data at regular intervals and measures how fast it retrieves the data. This speed changes depending on how busy the drive is with other tasks. Access latency is the source of information. The Austrian paper shows that the graph of latencies over a certain period allows you to determine with reasonable reliability which specific other task is being executed at the moment.
*characteristic latency graphs when opening specific websites.
The researchers built latency graphs like the one described above for many web sites and local programs. They capture patterns that form when a site is opened or a program is launched. To capture the moments of launching or loading, you need to monitor SSD activity for quite a long time. But the patterns are stable enough and can be observed on different systems - the authors experimented on a desktop PC running Linux as well as an Apple Mac mini. Then, in principle, it’s straightforward: you can take a catalog of known patterns, measure SSD latencies in real conditions, compare them and figure out which programs the user launches and which websites the user visits. But how do you set up monitoring secretly, without installing malicious software on the computer?
And this is where a relatively new browser feature, Origin Private File System, comes to help. A hypothetical attacker doesn’t need to install a Trojan program on the computer. It’s enough for the victim to open a prepared page, and then it will use OPFS to enable monitoring of SSD activity.
The combination of all the attack’s properties explains its name: FROST stands for Fingerprinting Remotely using OPFS-based SSD Timing, meaning remote fingerprinting using OPFS-based SSD timing. The full attack scheme looks like this:
*extracting data about computer activity using the FROST attack.
Limitations of the Method
Limitations of the Method
Like any other side-channel attack, FROST works quite slowly. The authors of the study even calculated how slow it is by building a special test setup for that purpose.
*a test setup diagram for measuring the data-extraction speed through OPFS.
On the computer, a program was running that transmitted data implicitly: you can think of it as a spy that broadcasts a secret message through accesses to a data storage device. For example, you can assume that a "1" in the message corresponds to active load on the SSD and a "0" corresponds to the absence of accesses. In the browser, the authors created an information receiver: it also accesses the storage device through OPFS. The browser receiver and the program transmitter compete for the SSD’s bandwidth. Because of this, the receiver observes access delays when the transmitter actively sends them.
Final result: this strange method transmitted data at a rate of 661 bits per second with nearly 90% accuracy, for a desktop PC with an AMD processor running Linux. On an Apple system running macOS, the result was 719 bits per second with about 90% accuracy. These results are somewhat worse than in the previous 2025 study, which used only applications installed directly on the computer. But the difference isn’t huge.
However, the point of FROST is not data transmission - it’s tracking user activity. Even if you have a database of patterns corresponding to launching certain programs (or opening certain websites) on a specific system, through a malicious site and OPFS too much noise information is still transmitted. After all, the computer is doing lots of other activity related to SSD accesses. To overcome this obstacle, the authors traditionally - used a neural network: trained on known fingerprints, it confidently identifies user activity even from extremely noisy data. The results are impressive: on an Apple Mac mini, opened websites were correctly identified in 89% of cases and applications in 96% of cases. Moreover, opened sites were recognized correctly even if they were opened in a different browser, not the one where the malicious page was loaded. This would look like an extremely successful attack if not for a large number of additional constraints.
Applicability of the FROST Attack
Applicability of the FROST Attack
By themselves, data about which programs are launched and which sites are visited provides little value to a potential attacker. Such information would be interesting, for example, to advertisers - it would allow them to build a digital profile of the user without having access to any other data. In practice, though, this kind of large-scale tracking cannot be deployed widely. The reason is another fundamental property of how a computer works: frequently requested data is cached in RAM. The entire FROST attack is built around the relatively low bandwidth of the SSD. But if the data is in memory, then any observation possibility disappears. To bypass these limitations, you would have to create an OPFS file that is huge - over one gigabyte. Obviously, any popular site that heavily loads the SSD would instantly reveal the attack. Thus, like most other side-channel tracking methods, FROST can only be targeted. But in any case, the FROST attack turns out to be far more practical than many other attacks described in similar research. This study once again shows how complex modern computers are and how many non-obvious places exist for potential data leaks. When building a secure system that handles extremely sensitive data, hardware features must be taken into account. If the value of stolen information is high enough, a potential attacker has motivation to develop a complex attack specifically to achieve a particular goal. Works like FROST can be seen as proof that in such a scenario nothing is impossible.







