A malicious website can now track which apps and sites you open using only JavaScript and your SSD's timing. The FROST attack needs no permissions, extensions, or native code—just an open tab. Learn how it works and how to protect your privacy.
Imagine opening a website and, without you clicking a single thing, that site figures out which other apps or pages you have running. Sounds like something out of a spy movie, right? Well, it's real. Researchers at Graz University of Technology have developed a new technique called FROST that uses nothing but JavaScript and the timing of your SSD to track what you're doing. No special permissions, no extensions, no native code—just a tab sitting quietly in the background.
Here's the wild part: you open the malicious page, leave it open, and it watches your drive for something called "contention." That's a fancy way of saying it measures how long it takes your SSD to respond to requests. When you switch to another app or load another site, your SSD gets busy, and the timing changes slightly. The FROST attack picks up on those tiny delays and uses them to figure out what you're up to.
### How Does FROST Actually Work?
At its core, FROST exploits a basic fact about modern SSDs: they're fast, but not perfectly consistent. When your computer reads or writes data to the drive, the speed depends on what else the drive is doing. If you're running multiple apps or browsing several sites, the SSD has to juggle all those requests, causing measurable delays. The FROST script runs in your browser and constantly sends small, timed requests to the drive. By analyzing the response times, it can detect patterns that match specific activities.
For example, opening a video streaming app might cause a spike in read requests, while launching a chat app might trigger a different pattern. The researchers showed that FROST can identify which apps you're using with surprising accuracy. It's not perfect—it works best when you have a limited set of apps open—but it's scary effective for a proof of concept.
### Why This Matters for Privacy
This attack is a big deal because it bypasses most traditional privacy protections. Browser sandboxing? Doesn't help. JavaScript restrictions? FROST uses standard, allowed APIs. The attack doesn't need to access your files or see your screen—it just watches the clock. And since it runs entirely in the browser, there's no way for your operating system to flag it as suspicious.
Here are a few key takeaways:
- **No permissions needed**: FROST doesn't ask for access to your camera, microphone, or files.
- **No extensions**: It runs in plain old JavaScript, which every modern browser supports.
- **Passive monitoring**: Once the tab is open, it works silently in the background.
This means that any website you visit could potentially be tracking your other activities without you knowing. It's a reminder that even seemingly harmless browser features can be weaponized.
### Who's at Risk?
Anyone using a standard SSD—which is basically everyone with a modern laptop or desktop—could be vulnerable. The attack works on both Windows and macOS systems, and it doesn't require any special hardware. The researchers tested it on a variety of SSDs and found it effective across the board. However, the attack does have limitations. It's less accurate when you have many apps running at once, and it struggles with activities that don't generate consistent drive traffic.
Still, for a targeted attack—say, a malicious ad on a popular site—it could be used to profile users based on their app usage. That's a privacy nightmare.
### What Can You Do About It?
Right now, there's no easy fix. Browser vendors are aware of the issue, but patching it would require limiting JavaScript timing accuracy, which could break legitimate features. Some security experts suggest using a privacy-focused browser with built-in timing protections, but that's not a complete solution. The best defense is to be mindful of which sites you leave open in your browser tabs.
If you're really concerned, you could disable JavaScript entirely, but that breaks most of the web. A more practical approach is to use browser extensions that block malicious scripts, though they won't catch everything. Ultimately, this attack highlights the need for better hardware-level privacy protections.
### The Bottom Line
The FROST attack is a clever but unsettling reminder that our devices are full of side channels we don't think about. Your SSD's timing might seem like a trivial detail, but in the hands of skilled researchers, it becomes a powerful tracking tool. As the web evolves, so do the threats. Stay informed, stay cautious, and don't leave tabs you don't trust sitting open in the background.
