The SSD Situation

Added: 2026-06-01

[00:00:00]Welcome back to another episode of Bro Induces a Panic Attack. Researchers say they can spy on your browsing by measuring SSD activity through a browser API with no permissions or user interaction. This headline has blown up in a lot of different privacy communities and for good reason because this claim is pretty terrifying. It's saying any website can spy on you by measuring SSD activity through the browser with an attack called Frost.

[00:00:21]This was initially discovered by researchers at Gra University of Technology in Austria. It has an 89% accuracy rate identifying websites, 96% accuracy identifying apps. It doesn't need permissions, and it works with all browsers. So, that's it. Game over. SSD is compromised. I'm only ever booting from a live USB and storing all my files on a completely separate hard drive.

[00:00:42]Thanks for watching. No, but seriously, I've seen the story published in a few places now. I've gone through the actual research paper, and as of right now, I think a frost attack is very unlikely to happen against the average user. Let me explain how it works. The JavaScript on some websites requires you to load something called an opfs or an origin private file system. It is a heavily sandbox virtual storage endpoint for your browser. You can see it invoked with this script and it's required for web apps that require high performance and data processing like game emulation, editing media, machine learning models that are loaded into the browser. You see this a lot with ondevice ID verification. The list goes on. Well, when your SSD is busy loading different applications or sites, it slows down slightly. And an attacker that has their page load in OPFS will create a giant file and tell the browser to read random data from the OPFS file. So, when the SSD is doing other things, reading the data from the OPFS file becomes slower, and those tiny differences in timing are recorded and become a fingerprint. This all happens in the background of the website without notifying the user. But here's the thing. For the measurements to be accurate in the real world, so many factors have to be correct. The lab that this exploit was performed in to get an 89% accuracy rate required specific conditions. For one, the attacking websites tab must be active in the foreground. You can't let the browser background the tab. Next, the OPFS file has to be larger than the system memory. So, if your browser is reading from a file that's 300 GB large and your system memory is only 16 gigs of RAM, for example, you're going to notice a huge slowdown. Activities must also be limited to one SSD as well. So in the controlled setup in the lab, the researchers used the same Mac Mini for both training and testing, used a known set of 50 websites and 10 apps, disabled sleep, screen saver, and auto logout, and used automated scripts to perfectly time the website launches. In reality, your browser tabs are going to background themselves constantly. You might have a myriad of other processes adding noise to the data, not to mention random background updates and Discord notifications. Spotify, everything generates random data. That 89% that they got in the lab is only under perfectly controlled conditions. If this was running on your computer right now, accuracy would be much lower. So, what did the browser vendors have to say about this? Well, in typical Google fashion, Google considers this a feature, not a vulnerability. Go figure.

[00:03:00]Apple stated that it's currently out of scope. And Misilla acknowledged the problem, but doesn't have a plan to fix it yet. And honestly, on this rare occasion, I sort of agree with the company's viewpoint. Frost attacks are good to know about because they're quite novel, but as of right now, it's really not a practical attack vector. So, that being said, should you worry.

[00:03:19]For the average person, I wouldn't worry. Frost is way too impractical.

[00:03:23]There's so many other ways to track you that already exist and have 100% accuracy. For a high-v value target like a journalist, an activist, a company executive, I would say the same. Again, there are tools and attacks that are much more discreet and have 100% accuracy. Unless you're already a person under highly sophisticated surveillance, I wouldn't worry about this. And even if you are one of those guys, it's just another turd in the sewer of threats you already face. However, for the future, I would definitely keep Frost in mind.

[00:03:50]Browsers keep getting more powerful APIs with near native capabilities, and browser vendors are slow to classify Frost as a real problem. So, in the future, when hopefully we all can afford RAM again, I do see this creeping up.

[00:04:02]But then again, things look pretty grim on that front, too. Nevertheless, it is fantastic research. I'll leave a link to the paper down below. And don't take headlines at face value unless of course you're making a YouTube video.

[00:04:13]>> Oh brother. I appreciate every one of you guys for watching and special thanks to the base and George for supporting the channel directly. I hope you got something out of this video and I'll catch you guys in the next one.