What Is FROST? The New SSD Side-Channel That Spies on Web Visitors

FROST finds tabs and apps. And it's a browser-based side-channel technique that lets any website quietly map out what other tabs you have open, and the attack measures subtle timing differences in solid-state drive I/O operations from unprivileged JavaScript. Researchers plan to present the full paper at the DIMVA conference in July.

How FROST Spies Through Your SSD

For years, trackers have harvested browsing histories, device fingerprints, and keystroke dynamics. FROST adds a fresh vector. It exploits a contention side channel leak appearing when multiple processes compete for the same physical resource, so an attacker by watching how SSD responds under load can infer what else it's doing. It never asks for permission. But it simply requires a visitor to load a page hosting the malicious script.

FROST is powerful and unnerving. And it works across browsers and can spot open websites even if they sit in tabs you haven't touched in hours, which makes it both powerful and unnerving. The researchers measured the timing of input-output operations on the SSD and trained a convolutional neural network on those latency traces, and the model learned to classify distinct patterns tied to specific websites and applications. No clicks, pop-ups, user interaction.

A Side Channel Born from Contention

OPFS is FROST's core. But this sandboxed storage bucket, silently created without the visitor's action, is isolated from the rest of the machine and other origins, and JavaScript within it can still measure how fast read operations finish. So when the user's system's busy loading another website or running a desktop app, the SSD becomes congested, and that congestion shows up as tiny measurable delays.

The paper explains the attacker continuously measures SSD contention by performing random reads from a large OPFS file. It's a random read operation. But SSD contention caused by user activity causes measurable latency differences for these reads, and by training a convolutional neural network on these traces the attacker can fingerprint user activity on the host system by classifying new traces using the trained model.

Browsers aren't simple viewers anymore. But the paper authors note that while these features boost web app capabilities and allow completely novel use cases, they also increase the browser's attack surface, and some've already been shown to introduce new vulnerabilities.

The Anatomy of the Attack

One of the first things the researchers had to do was force the creation of an absurdly large file inside the OPFS, and that file becomes the canary. But JavaScript repeatedly reads random blocks from it while the visitor goes about their business. They're the fingerprint. And run the raw measurements through a pretrained CNN, and you get a surprisingly accurate guess of what the person is doing right now.

FROST doesn't need root access. It doesn't need a malicious extension or trickery that trips security warnings, runs entirely inside browser's storage mechanisms, and its only external requirement is that targeted data and OPFS file sit on same physical SSD. But in practice that's almost always true because browsers store their OPFS data on the same drive as cache and profile.

Limitations That Keep FROST in Check

But there is a catch. The OPFS file must be enormous, likely a gigabyte or more. That is not subtle. A drive suddenly swelling with a mystery gigabyte file would raise eyebrows, and mass-scale exploitation would light up telemetry fast. The researchers are clear that rolling out an undetected campaign at internet scale would be difficult for this reason alone.

Drive layout's another constraint. If the visitor's apps run from a separate SSD, they're invisible to FROST, so the attack only sees I/O contention on the drive with its OPFS data. But that detail narrows the window for broad surveillance and still leaves the average home user exposed.

• The OPFS file must be extremely large, likely a gigabyte or more, making mass exploitation easy to detect.
• FROST must reside on the same SSD as the target’s browser; apps on a different drive remain hidden.
• The technique has never been spotted in the wild and was fully demonstrated only on an M2 Mac.

What the Researchers Discovered

Windows wasn't tested. Hannes Weissteiner, one of the paper's co-authors, confirmed that by email, and on Linux they proved the primitive works and can measure SSD access latency traces from JavaScript but didn't run the complete classification pipeline. But he wrote, "In principle, it would be possible to train a model on any system activity that reliably generates SSD accesses." The group expects similar performance on Linux as on macOS, given the comparable primitive speed.

That flexibility's the worry. FROST doesn't care about the operating system. So it cares only about the physical contention on the flash storage, and as long as a process reliably hits the SSD, a trained neural network can learn to smell it. The researchers showed that the attack classifies both browser tabs and native applications, even when the tabs come from a different browser altogether.

Defenses and the Path Forward

No FROST attacks reported. The paper, scheduled to land at DIMVA in July, remains a demonstration of what the browser platform inadvertently permits. But the researchers propose browser makers cap the maximum allowable size of OPFS files to shut the side channel, making the attack impractical because the probing file can't grow large enough for clean timing signatures.

You can take immediate steps. But closing tabs you don't need shrinks the attack surface, and more technically inclined visitors can watch for suddenly bloated OPFS allocations from sites they've never granted storage permission. Small habits like these make it harder for any contention-based fingerprint to paint a complete picture of your digital life.

• Close tabs as soon as they are no longer required.
• Monitor the creation and size of OPFS files allocated by unknown websites.
• Advocate for browser-level limits on single-origin storage quotas.

The arrival of FROST doesn't signal an arms race nobody can win, but it highlights that every new browser capability, even a quiet file storage API, can be twisted into a surveillance tool. The fix isn't to strip away modern web features but to add sensible guardrails. The July conference will be the first chance for the broader security community to weigh in. Until then, the file system stays silent. But the timers keep running.