The Ghost in the Drive: Why Privacy is Physical
Is your browser’s storage truly private?
A question in these times we all are asking, to find out I dug deeper into unconventional, undocumented proofs for FROST on Brave browser mobile.
Recent research paper from the Graz University of Technology detailed a sophisticated side-channel attack named FROST (Fingerprinting Remotely using OPFS-based SSD Timing). The study demonstrates that a malicious website can infer sensitive information about a user’s system activity, such as visited websites or launched applications, by measuring subtle timing variations in SSD access.
The Science Behind the Attack:
Side-channel attacks, as defined in cybersecurity research, exploit unintended information leaks rather than direct software vulnerabilities. FROST is a timing side-channel that leverages SSD contention. Contention occurs when multiple processes compete for access to the same hardware storage. Because an SSD has finite throughput, when a victim’s system performs heavy storage operations, the latency for other processes increases.
The FROST researchers identified that the Origin Private File System (OPFS) API provides a browser-based mechanism to measure these tiny latency fluctuations. Crucially, while previous research required native code execution, the FROST paper demonstrates that this can be performed entirely within a sandboxed JavaScript environment by bypassing the OS page cache. In their evaluation, they achieved a true channel capacity of up to 891.77 bit/s on macOS and proved that they could classify application launches with an F1 score of 95.83%.
My Experimental Methodology
To test the viability of FROST on modern mobile hardware, I developed a test harness that uses OPFS to perform interleaved idle and load-induced read sequences. My objective was to determine if the contention channel remained detectable despite browser-level anti-fingerprinting protections.
Technical Challenges Encountered:
- Handle Persistence:
Synchronous access handles often failed to persist across test cycles, necessitating a browser page reload to reset the state.
- Cache Interference:
Small file sizes resulted in data being served from the RAM cache, effectively silencing the SSD contention signal. To force SSD-level I/O, I utilized significantly larger file allocations.
- Drift Control:
To mitigate run-over-run timing drift, I implemented a robust interleaved read sequence, allowing for a more accurate calculation of the mean and median latency deltas.
Experimental Findings
My research revealed that the effectiveness of the FROST primitive is highly dependent on the system's power state and hardware load:
- The Power-Saving State (Negative Result):
When the device operated in power-saving mode, the contention signal was non-existent. The system’s aggressive thermal and power throttling appears to inject sufficient noise that effectively buries the signal under the timer floor, rendering the browser’s internal clamping mechanism highly effective.
- The Full-Performance State (Measurable Result):
Upon disabling power-saving mode and increasing memory utilization to 1924 MB while running concurrent background tasks, the contention channel became active. I recorded a median delta shift of +100.0 us. This confirms that the contention channel, the core physics upon which FROST relies, is measurable on mobile hardware when the device is not artificially throttled.
Verdict
The FROST primitive is viable on mobile platforms. My results demonstrate that while browsers currently employ successful anti-fingerprinting clamps, the underlying physics of storage contention remain a persistent threat. The privacy of a device is not merely a software configuration; it is deeply tied to the physical performance state of the hardware. As the research indicates, understanding these leakage vectors is critical to developing effective, system-wide mitigations that account for the reality of hardware-level contention.
Author and Researcher:
@BaximusCyber85 on X
Onyx_Digital Intelligence
Onyxdigitalintelligence85@protonmail.com