this post was submitted on 28 May 2026
355 points (98.6% liked)

Technology

84988 readers
4706 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
355
Researchers say they can spy on your browsing by measuring SSD activity through a browser API (www.tomshardware.com)
submitted 1 day ago by throws_lemy@reddthat.com to c/technology@lemmy.world
72 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] partial_accumen@lemmy.world 23 points 1 day ago* (last edited 1 day ago) (2 children)

The actual paper (PDF) this is based on gives much better information than the article. From that we get some really key information:

To allow FROST to measure SSD contention, the victim must perform activities that result in storage accesses to the same disk as the file used for contention measurement

This can't ready your SSD. It can only listen in on the conversation between your CPU and SSD when something else reads it or writes to it. The whole FROST approach has a number of clever tricks to generate reads from open applications though. Further, it requires the attacker's code to be running in an active browser session.

Also, If you have two SSDs, and your browser is on one, this FROST approach can't see anything written to or read from on the other SSD.

Lastly, there's a mention in the paper about hardware based SSD encryption being vulnerable, there's no mention of Software Whole Disk Encryption. Given how the researchers are using the SSD timing exploit, I would guess that a software (not hardware) whole disk encryption might be immune to this attack because the patterns of timings would be different with encrypted data being written to the SSD (instead of the data being encrypted by the SSD when written.

[–] hansolo@lemmy.today 7 points 1 day ago (1 children)

The paper also mentions that it also takes downloading a 1GB OFPS file and JS in use.

This isn't so much "researchers can track you" so much as "it's theocratically possible with stock laptops and browsers, within limitations."

[–] ripcord@lemmy.world 2 points 20 hours ago

And even in the ideal case, not very effective.

Interesting approach, but that's about it.

[–] Buddahriffic@lemmy.world 1 points 1 day ago (1 children)

Sounds like a bunch of timing attacks could be rendered useless if access to an accurate timer required special permission. And without the permission, it either limited the resolution or added random jitter to any timer APIs.

[–] bitfucker@programming.dev 2 points 14 hours ago

Yeah, honestly we should have a way to instrument JS without actually making the JS runtime able to read the measurement data