Websites Can Now Spy on You Through Your Hard Drive

The FROST (Fast Read‑out of SSD Timing) technique leverages a well‑known side‑channel vulnerability: SSDs emit minute timing variations when accessing different blocks of data. By embedding simple JavaScript that repeatedly reads dummy files, a malicious site can capture these latency patterns and reconstruct a coarse map of a user’s storage activity. Unlike traditional fingerprinting, which relies on browser headers or canvas rendering, FROST directly probes the hardware layer, sidestepping many existing privacy safeguards.

This development marks a significant escalation in web‑based tracking. Previously, trackers could infer browsing habits, device characteristics, or keystrokes, but they required some level of user interaction or consent. FROST operates entirely in the background, turning any visited page into a potential surveillance vector. The data gleaned could reveal the presence of sensitive documents, software usage patterns, or even encrypted file structures, opening avenues for targeted phishing, corporate espionage, or black‑mail. As privacy‑focused browsers have already introduced anti‑fingerprinting measures, this hardware‑level approach challenges the efficacy of those defenses.

Industry response is already forming. Browser vendors are evaluating mitigations such as throttling high‑resolution timers, adding noise to storage‑related APIs, or sandboxing SSD access more aggressively. Operating system developers may also consider tighter permission models for low‑level I/O calls originating from web contexts. Meanwhile, security researchers advocate for broader user education about the limits of “safe browsing” and for standards bodies to incorporate hardware side‑channel considerations into web security guidelines. The race between attackers exploiting FROST and defenders hardening the web stack will shape privacy expectations for years to come.