New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing

Researchers at Graz University of Technology have disclosed a new cross-site tracking attack called FROST that exploits SSD timing variations to identify which websites users visit and which applications they run. The attack requires only JavaScript and operates without native code, browser extensions, or user permission prompts.

FROST functions by monitoring SSD access patterns in the background while a malicious webpage sits open in a browser tab. Modern SSDs exhibit measurable performance variations when handling concurrent I/O requests. The attack measures these timing differences to infer which applications and services access the storage device, then correlates those patterns with known SSD fingerprints of popular websites and applications.

The threat model applies broadly. Any website a user visits can execute the FROST attack. The malicious page runs JavaScript that repeatedly attempts storage operations while measuring response latencies. When another application or browser tab accesses the SSD simultaneously, timing anomalies emerge. Researchers demonstrated successful identification of installed applications, visited websites, and cached content across multiple victim machines.

This attack bypasses traditional tracking defenses. Content blockers and privacy-focused browser settings do not prevent it. Users grant no explicit permission. The attack generates no obvious performance impact, allowing it to operate undetected during a passive browsing session.

The implications extend beyond individual privacy. Organizations face exposure of employee browsing habits and internal application usage patterns. Financial institutions, legal firms, and healthcare providers risk information leakage through SSD timing side-channels. An attacker could identify when employees access sensitive internal systems or competing services.

Mitigation options remain limited at present. Browser vendors can implement SSD timing noise injection or restrict access to high-precision timers. Operating systems could virtualize storage performance characteristics. However, widespread defenses have not yet materialized.

The FROST research highlights how hardware-level characteristics create exploitable information channels that conventional security layers fail to address. Users currently possess no