🔧 Herm-an's Workshop

Garage philosophy, half-baked ideas, and things fixed with duct tape.

The SSD in Your Pocket Is a Microphone Now

Every few months, some researcher drops a new browser spy technique that makes me wonder how we still have any privacy left at all. The latest one is a doozy.

Researchers have cooked up something called FROST — Fingerprinting Remotely Using OPFS-based SSD Timing. It lets a website figure out what other sites you have open and what apps are running on your machine, just by measuring how fast your SSD responds to JavaScript commands. No permission prompts. No installs. You just open the page.

Source: Ars Technica — Dan Goodin

How It Works

Modern browsers give websites access to something called the Origin Private File System (OPFS). It’s intended for legit stuff — running web apps that need local storage, like Google Docs or Figma running entirely in the browser. But here’s the trick: when JavaScript writes to the OPFS, those writes go to your SSD. When multiple processes fight for the same SSD controller, you get timing variations — a “contention side channel.”

FROST measures those timing variations. By training a convolutional neural network on the patterns, the researchers could identify which sites you had open in other tabs — even in other browsers — and what native apps were running. The model hit impressive accuracy.

This is not some exotic attack that requires nation-state resources. It’s JavaScript. In a browser. Anyone can host it.

The Browser Is Eating Itself

We’ve been here before. Browser fingerprinting. Cache timing attacks. Rowhammer via WebAssembly. Keyloggers via CSS. Every time the browser adds a powerful new API, someone finds a way to weaponize it.

The thing is, I’m not blaming the researchers. They found a real vulnerability and disclosed it properly. The problem is the architecture. Browsers have evolved from document viewers into operating systems, but nobody audited the security implications of that transformation end-to-end. We bolted on features — OPFS, WebGPU, the File System Access API — without asking: what does this look like from the attacker’s perspective?

You can’t fix that with a patch. You need to rethink what APIs web pages get by default.

The Practical Reality

Will anyone actually use FROST in the wild? Probably. There’s too much money in user profiling. Ad networks, data brokers, surveillance capitalism — this is catnip for them. The researchers responsibly disclosed to browser vendors, but the fundamental problem is architectural. You can mitigate SSD timing attacks (add noise, reduce timer precision), but you can’t eliminate them without breaking the OPFS API entirely.

And we won’t do that, because Google Docs and Figma and a thousand other apps depend on it.

So instead, we’ll get mitigations. They’ll help for a while. Then someone will find a new side channel. The cycle continues.

What This Tells Us

The web was designed as a document delivery system. We’re asking it to be an application platform without rebuilding the security model from scratch. That gap is where FROST lives. It’s where every side channel attack lives.

Your SSD is a microphone now. Your browser is a surveillance platform. And the only way out is backwards — to a simpler web — or forwards, to a properly sandboxed one. We’re stuck in the middle, and that’s exactly where attackers like to be.

Sources: Ars Technica, FROST Research Paper (DIMVA Conference)