FHN 
Security researchers have discovered a new browser-based side-channel attack called FROST SSD Timing Attack that allows malicious websites to monitor SSD activity and potentially track what users are doing on their devices.
The attack works by abusing modern browser storage features and measuring tiny changes in SSD response times. Researchers warned that simply visiting a malicious website could allow attackers to observe activity happening in other browser tabs, applications, or even different browsers running on the same system.
The FROST SSD Timing Attack works by abusing modern browser storage features and measuring tiny changes in SSD response times. Researchers warned that simply visiting a malicious website could allow attackers to observe activity happening in other browser tabs, applications, or even different browsers running on the same system.
The findings highlight growing concerns around browser APIs and performance features that may unintentionally expose sensitive system behavior.
How the FROST Attack Works
The technique relies on the Origin Private File System (OPFS), a browser storage feature designed to improve web application performance.
Researchers found that a malicious website can create a large file inside the browser’s storage sandbox and continuously perform random disk reads. These operations force the SSD to handle real disk activity instead of using cached memory.
When other applications or browser tabs access the same SSD, small delays and latency spikes occur due to resource contention. The malicious page measures these timing differences using high-resolution browser timers.
To improve accuracy, attackers can enable cross-origin isolation settings that unlock more precise timing measurements through APIs such as performance.now().
The collected timing data is then analyzed using machine learning models to identify patterns linked to specific websites or applications.
Researchers Demonstrated Cross-Browser Tracking
During testing, researchers showed that the attack could monitor user activity across multiple browser instances on macOS systems.
In one experiment:
- A malicious Chrome tab monitored SSD timing activity
- A victim opened websites in Safari
- The timing patterns were analyzed using a neural network model
- The system successfully identified visited websites with high accuracy
The researchers reported strong detection results while testing against popular websites.
They also demonstrated a covert communication channel on Linux and macOS systems where SSD contention signals were used to transfer information between applications.
Privacy and Security Concerns
The research shows how modern browser performance features may weaken traditional browser isolation protections.
Unlike traditional malware, the attack does not require installing software on the victim’s device. Instead, a single visit to a malicious webpage may be enough to begin collecting timing information silently in the background.
Researchers warned that the technique could potentially be used for:
- Cross-browser activity tracking
- User behavior monitoring
- Website fingerprinting
- Covert communication channels
- Privacy-invasive surveillance techniques
The findings also raise concerns about how high-resolution timers and advanced browser storage APIs can unintentionally create new side-channel attack surfaces.
While the attack currently requires specific conditions and technical expertise, the research demonstrates how low-level hardware behavior can increasingly be abused for remote tracking and surveillance purposes.
About the Author
