{"id":30818,"date":"2026-06-11T21:22:50","date_gmt":"2026-06-11T15:52:50","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/frost-fingerprinting-attack\/30818\/"},"modified":"2026-06-11T21:23:04","modified_gmt":"2026-06-11T15:53:04","slug":"frost-fingerprinting-attack","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/frost-fingerprinting-attack\/30818\/","title":{"rendered":"The FROST attack: how SSD access delays expose users’ activity"},"content":{"rendered":"

Scientists at Graz University of Technology in Austria recently published a paper<\/a> detailing a new method for tracking users\u2019 activity through their web browsers. The most fascinating thing about this new technique \u2014 which they\u2019ve named FROST \u2014 is that it relies on a computer\u2019s solid-state drive (SSD) to do the spying. Without getting bogged down in technical details, here\u2019s how the attack works: a hacker lures a victim to a specially crafted website; as long as the site is kept open, the attacker can track exactly what apps the user is launching, and what other web pages they\u2019re visiting.<\/p>\n

So, how do they pull this off? The first instinct is naturally to blame the browser. But in modern web browsers, every website runs in an isolated sandbox and is generally locked out from touching other tabs \u2014 let alone the computer\u2019s actual hardware. While hackers do find loopholes in these defenses from time to time, that\u2019s not what\u2019s happening here. The FROST attack doesn\u2019t need to break the browser; it works perfectly even with all standard security measures in place. Instead, it hijacks a completely legitimate browser feature called the origin private file system (OPFS), which gives websites their own virtual storage space to store data. However, while this storage is digitally isolated, the data is still physically written to the exact same SSD that every other app and website opened on the computer is using. The researchers discovered that if a malicious page constantly bombards the SSD with data requests, the microscopic delays in data access can help map out what else is running on the PC. Before we dive into the details of how they manage this, let\u2019s take a quick look at the theory behind the attack.<\/p>\n

A quick primer on side-channel attacks<\/h2>\n

The term \u201cside-channel\u201d refers to a method of spying on a computer \u2014 or even a single microchip \u2014 indirectly. Instead of intercepting the data itself, an attacker might analyze fluctuations in power consumption, monitor the temperature of specific components, or listen in on electromagnetic radiation, among other things. In theory, this means that someone could eavesdrop on a conversation<\/a> in a room just by using a computer mouse, since the optical sensor can pick up sound vibrations. Similarly, watching a CPU\u2019s clock speed fluctuate could allow a hacker to steal an encryption key<\/a>. Even a simple LED light on a badge reader can leak enough data<\/a> about the device\u2019s inner workings for an attacker to clone a smart card.<\/p>\n

The beauty of these indirect data leaks \u2014 at least from a hacker\u2019s perspective \u2014 is that they\u2019re not easy to spot. Device manufacturers rarely account for them when building security systems. The downside, however, is just as obvious: extracting information through a mechanism that was never meant for data transmission is often complex, slow, and laborious. The Austrian researchers focused on a specific subtype known as a contention side-channel attack. This is where a leak occurs because multiple processes are competing for the same resource. In this case, that contested resource is the storage drive\u2019s bandwidth.<\/p>\n

Inside the FROST attack<\/h2>\n

This specific side channel has actually been studied before, including in a 2025 research paper<\/a>. Back then, however, the setup was rather straightforward: the researchers ran one program on a computer to act as the data source, while a second program running on the same machine tried to intercept that data. While that\u2019s fine for a theoretical academic study, the attack model wasn\u2019t exactly groundbreaking. After all, if a hacker can already run any program they wish, they don\u2019t need to rely on complex side channels \u2014 they have plenty of direct ways to steal the data.<\/p>\n

Still, last year\u2019s study wasn\u2019t a complete waste of time. It proved that the resolution obtained from monitoring an SSD is quite high, the data leak is real, and the captured information can actually be useful. The FROST attack is essentially a logical continuation of the same idea.<\/p>\n

Here\u2019s how it works in practice. Let\u2019s say there\u2019s a fairly large file on an SSD packed with random data. A specific process reads this data at regular intervals and clocks how fast it gets a response. This speed fluctuates depending on how busy the drive is with other tasks. These access delays are the telltale signs of the drive\u2019s activity. The Austrian researchers demonstrated that plotting these delays over time can help pinpoint with reasonable accuracy what other task is running on the computer at that very moment.<\/p>\n

<\/p>

\"Delay<\/a>

Distinct latency patterns generated when opening specific websites Source <\/a><\/p><\/div>
\nThe researchers mapped out latency graphs, like the ones shown above, for a wide variety of websites and locally running apps. What they found were distinct patterns \u2014 or digital fingerprints \u2014 generated every single time a specific site loads, or an app launches. Capturing these split-second launch or load windows requires monitoring the SSD continuously over a long period of time. However, these patterns proved to be remarkably consistent across different systems; the authors successfully tested their method on both a Linux desktop and an Apple Mac Mini. From there, the next step sounds simple enough: take a catalog of known fingerprints, measure real-world SSD delays, match the two up, and you know exactly what apps the user is opening, and what sites they\u2019re visiting. But how to actually pull off this kind of surveillance under the radar, without planting malware on the victim\u2019s computer?\n

And that\u2019s where a relatively new browser feature called the origin private file system (OPFS) comes into play. A hypothetical attacker doesn\u2019t have to trick the user into downloading a shady Trojan. All they need do is have the victim visit a specially crafted webpage, and that page will leverage OPFS to quietly track the SSD\u2019s activity. The clever acronym brings all these moving parts together: FROST stands for Fingerprinting Remotely using OPFS-based SSD Timing. Here\u2019s the step-by-step breakdown of how the entire attack plays out:<\/p>\n

\"The<\/a>

How the FROST method can be used to spy on a computer\u2019s activity Source <\/a><\/p><\/div>\n

Method limitations<\/h2>\n

Like any side-channel attack, FROST isn\u2019t exactly built for speed. It\u2019s a slow, methodical process. To figure out just how slow, the researchers built a dedicated testbed to measure it.<\/p>\n

\"The<\/a>

The testbed setup for measuring the speed of data extraction through OPFS Source <\/a><\/p><\/div>\n

The team ran a program on a computer to transmit data indirectly. Think of it as a digital spy broadcasting a secret message by changing how it interacts with the hard drive. For instance, a 1 <\/em>in the binary message code could mean the program is actively using the SSD, while a 0<\/em> means it\u2019s sitting idle. At the same time, they set up a receiver inside the web browser that accessed the storage drive via OPFS. Because both the browser receiver and the transmitter program were competing for the SSD\u2019s bandwidth, the browser experienced tiny speed delays whenever the transmitter was actively sending data.<\/p>\n

This bizarre setup managed to transmit data at 661 bits per second, with nearly 90% accuracy on a Linux desktop with an AMD processor. On an Apple Mac Mini running macOS, the transfer rate hit 719 bits per second, also hovering around 90% accuracy. While these numbers are slightly lower than those in last year\u2019s study \u2014 which relied on apps installed directly on the computer\u00a0\u2014 the gap isn\u2019t actually that huge.<\/p>\n

That said, the real threat of the FROST attack isn\u2019t raw data transmission; it\u2019s tracking what the user does. Even if a hacker has a database of digital fingerprints for specific apps and websites, the information leaked through a malicious site using OPFS is too noisy. After all, a computer is constantly reading and writing data from\/to the SSD in the background. To slice through that digital noise, the researchers turned to a tool that\u2019s becoming standard practice in modern cyberattacks: a neural network. AI trained on known SSD fingerprints could confidently pick out user activity even from a chaotic mess of background data. The final results are eye-opening. On the Apple Mac Mini, the AI accurately identified which website the user opened 89% of the time, and nailed local app launches with 96% accuracy. Crucially, it could even detect what websites were opened in a completely different browser than the one running in the malicious tab. It sounds like a total home run for hackers \u2014 except for a massive list of real-world catches.<\/p>\n

Is the FROST attack a real-world threat?<\/h2>\n

Simply knowing which apps are opened or what websites are visited doesn\u2019t give an attacker much leverage. This kind of data is usually useful to advertisers looking to build a user\u2019s digital profile without their permission; however, rolling out this tracking method on a massive scale is hardly realistic. The roadblock comes down to the fundamental way computers handle data: the system regularly dumps frequently accessed data into its RAM. Because the entire FROST attack relies on measuring the relatively slow bandwidth of the physical SSD, the data in RAM is effectively invisible to this method. To bypass this hurdle, the malicious webpage would have to force the OPFS to create a massive file \u2014 well over a gigabyte in size. Needless to say, a website that hogs hard drive resources in such an aggressive way would immediately raise red flags. EDR or XDR solutions<\/a> will most likely flag it as anomalous activity.<\/p>\n

Ultimately, this means the FROST attack \u2014 like most side-channel spying methods \u2014 is only practical for highly targeted operations. But that brings us right back to square one: knowing what apps someone opens or what web pages they browse is a pretty measly reward for the massive effort required to pull off such a sophisticated stunt.<\/p>\n

Even so, FROST is light-years ahead of most academic side-channel attacks when it comes to real-world practicality. It doesn\u2019t require preinstalled malware, and the victim doesn\u2019t have to do anything more than open a malicious page. If nothing else, this research is a stark reminder of just how complex modern computers are, and how many unexpected blind spots can lead to data leaks. When building ultra-secure systems for highly classified data, one absolutely has to consider hardware peculiarities. If the prize is big enough, a determined attacker will gladly invest the time to build a hyper-specific complex attack. Research like this serves as proof that, in the world of cybersecurity, that scenario isn\u2019t impossible.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Austrian researchers have uncovered a bizarre new way hackers could steal sensitive data.<\/p>\n","protected":false},"author":665,"featured_media":30823,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2036,2609,2610],"tags":[3474],"class_list":{"0":"post-30818","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-side-channel-attacks"},"hreflang":[{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/frost-fingerprinting-attack\/30818\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/frost-fingerprinting-attack\/25859\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/frost-fingerprinting-attack\/30661\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/frost-fingerprinting-attack\/42049\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/frost-fingerprinting-attack\/55970\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/frost-fingerprinting-attack\/30761\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/frost-fingerprinting-attack\/36329\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/frost-fingerprinting-attack\/36219\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.in\/blog\/tag\/side-channel-attacks\/","name":"side-channel attacks"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/30818","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/users\/665"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/comments?post=30818"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/30818\/revisions"}],"predecessor-version":[{"id":30822,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/30818\/revisions\/30822"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media\/30823"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media?parent=30818"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/categories?post=30818"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/tags?post=30818"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}