FROST Attack Turns SSDs Into Surveillance Tools

A new side-channel attack called FROST (fingerprinting remotely using OPFS-based SSD timing) lets websites spy on your other tabs and apps by measuring solid-state drive (SSD) access latencies. The attack is detailed in a research paper and runs entirely in the browser using JavaScript. It exploits the Origin Private File System (OPFS) — a sandboxed storage area that websites can create without user interaction.

How FROST Works

FROST is a contention side-channel attack. It measures timing differences in I/O operations when multiple processes compete for the SSD. The attacker's JavaScript creates a large OPFS file (≥1GB) and performs random reads, timing each read. Meanwhile, other processes (e.g., a different browser tab, a video editor) also generate SSD activity, causing measurable latency variations in the attacker's reads.

A pretrained convolutional neural network (CNN) classifies these latency traces to identify which websites or applications are active. The researchers demonstrated full attack on an M2 Mac and confirmed the primitive works on Linux. Windows was not tested.

Technical Details

  • OPFS file size: At least 1GB, stored on the same SSD as the target activity.
  • Measurement: JavaScript performs random reads from the OPFS file and records latency.
  • Model: CNN trained on latency traces to classify activity (e.g., "Spotify running", "YouTube tab open").
  • Attack surface: No user interaction beyond visiting the malicious site.
  • Limitations: Large file size may be detected; only works if OPFS is on the same SSD as target apps; not tested on Windows.

Mitigations

  • Close unused tabs.
  • Monitor OPFS file creation and size (browser developer tools).
  • Browser vendors can limit maximum OPFS file size to block the attack.

Why It Matters

This attack demonstrates that modern browser APIs (OPFS) can be abused for side-channel surveillance. As browsers become more powerful, the attack surface grows. Developers should be aware that sandboxed storage may still leak information through timing side channels.

What You Can Do Now

  • Review your browser's OPFS usage: In Chrome, go to chrome://settings/content/all and look for "Origin Private File System".
  • Use browser extensions that block large OPFS allocations.
  • Advocate for browser-level mitigations like size limits on OPFS files.