Vesper
ENESFRTR
Charts
Articles:SportsHealthHistoryTech
Markets
EUR/USD1.1631 0.05%GBP/USD1.3431 0.03%USD/JPY159.47 0.03%USD/CHF0.7870 0.06%AUD/USD0.7139 0.12%USD/CAD1.3831 0.02%USD/CNY6.7939 0.17%USD/INR95.81 0.12%USD/BRL5.0477 0.04%USD/ZAR16.36 0.03%USD/TRY45.90 0.02%Gold$4,391.00BTC$73,260 3.20%ETH$1,986 4.44%SOL$80.89 3.34%
Tech

Websites have a new way to spy on visitors: analysing their SSD activity

Ars Technica2 h ago
ShareXWhatsAppTelegramLinkedIn
A data centre server room with illuminated equipment
Photo: Brett Sayles / Pexels

Academic researchers have revealed that websites have found a new way to track visitors: observing the visitor's SSD (solid-state drive) disk activity via the browser. According to Ars Technica reporting, this attack technique can profile the visitor's device in a way that differs from most current browser protections; this creates a new concern for web-based privacy.

At the heart of the attack technique are timing differences in the queries the browser indirectly makes to the operating system using JavaScript and other web APIs. The website initiates controlled file read/write operations and measures the response times. Differences in SSDs' internal cache structures and disk-controller behaviour allow inferences to be made from these measurements.

The research team documented that various SSD models (Samsung, Crucial, Western Digital, Kingston) exhibit different 'signature' behaviours. This signature enabled the data generated during a browser session to be used to classify the device's SSD model with a high degree of accuracy. It can be classified as a classical 'fingerprinting' technique, but it is a variant tailored to the SSD layer.

In terms of privacy impact, this technique bypasses existing browser measures such as cookie deletion or incognito mode. Even after a user has cleared their browser's cookies, because the SSD signature remains stable, a link can be established between subsequent visits. How existing privacy laws such as the European Union's GDPR and California's CCPA will respond to this kind of tracking technique is not yet clear.

The evidence noted in the research report shows that the technique can work with high accuracy under laboratory conditions. However, various limitations exist in real-world attack scenarios: the visitor's SSD being under heavy use lowers measurement sensitivity; the SSD-controller behaviour of mobile devices differs from desktop versions; and timing-noise injection methods applied by the browser can reduce the attack's success rate.

This research is part of a broader literature on 'side-channel attacks'. In 2018, the Spectre and Meltdown attacks used the speculative-execution features of modern CPU architectures to leak data. The new SSD-based attack follows similar logic but focuses on a different hardware layer. The proliferation of side-channel attacks creates a difficult policy question for hardware manufacturers and browser developers.

Major browsers such as Mozilla Firefox, Google Chrome, Apple Safari and Microsoft Edge continuously update their privacy protections. A response from browser developers is expected after the discovery of the current SSD attack technique; however, protecting against side-channel attacks may require sacrificing hardware performance. This trade-off is described as an important policy decision for browser companies.

For the advertising and data-collection industry, new techniques such as the SSD attack are testing the legal and technical limits of existing business models. Apple's App Tracking Transparency policy implemented in iOS in 2021 and Google's Phasing Cookies strategy in Chrome (Privacy Sandbox) reflect that the industry is under intensifying surveillance pressure. The SSD attack is new technical evidence reinforcing that pressure.

For users, direct protective measures are limited. Suggested approaches include using a VPN, adding timing noise via browser extensions, and using specialised research tools. However, these measures are not accessible to ordinary users; the renewal of privacy laws and the strengthening of default browser protections continue to be the main source of protection for individuals.

From a regulatory standpoint, the EU's Data Protection Authorities (DPA) had begun to assess similar device-fingerprinting techniques under the ePrivacy directive. The legal classification of the SSD attack may require it to be treated under existing privacy law as 'a tracking technique requiring the user's explicit consent'. This will affect the operational compliance costs of websites.

This article does not constitute advice for cybersecurity practices; technical details are based on Ars Technica's reporting and on the published documents of academic researchers. For privacy-conscious users, decisions about personal data protection should be made in consultation with cybersecurity or privacy specialists.

This article is an AI-curated summary based on Ars Technica. The illustration is a stock photo by Brett Sayles from Pexels.