What FROST Is and Why SSD Tracking Matters
FROST is an SSD tracking technique that uses subtle timing differences in a computer’s solid-state drive activity, measured through JavaScript in the browser, to infer what other websites or applications are doing on the same machine without relying on cookies or direct file access. Instead of collecting obvious identifiers, FROST turns the SSD into a side-channel sensor. When multiple programs compete for the SSD, they create contention—tiny delays in read and write operations. Attack code running on a malicious page writes to an Origin Private File System (OPFS) file and measures how long operations take, building a behavioral fingerprint of what else is running. This makes FROST a new browser privacy threat because it observes hardware-level patterns that typical tracking protections were never designed to hide or control.
How FROST Exploits OPFS and SSD Timing
FROST depends on a modern browser feature: the Origin Private File System. OPFS lets each website store data in a sandboxed area on the local SSD. In normal use, this enables offline documents, media editing, and web apps. In an attack, the page repeatedly accesses a large OPFS file and records how long each operation takes. These timings change when other tabs, background apps, or system tasks hit the same SSD, creating a distinctive pattern. Previous SSD-based side-channel attacks needed malware or native software on the device. FROST moves the entire attack into JavaScript. A user only has to load a booby-trapped page; no extensions, elevated permissions, or downloads are required. According to Help Net Security, this is the first demonstrated attack that uses OPFS to leak information from a victim’s system through browser-based code.
Why Traditional Tracking Defenses Fail Against FROST
Conventional website tracking methods depend on cookies, third-party scripts, and browser fingerprinting. Users can fight those with blockers, private mode, and stricter cookie settings. FROST sidesteps these defenses because it does not need identifiers or network beacons; it profiles the SSD itself. Browser privacy tools rarely interfere with OPFS storage or low-level timing functions, so the attack runs inside the normal sandbox and appears as legitimate local file access. From the browser’s perspective, a site is just reading and writing its own private data. Because the technique infers behavior from performance characteristics, not content, it does not break sandbox boundaries or read actual files. This makes FROST difficult to classify as a classic security vulnerability, even though the privacy impact is serious and current anti-tracking protections may not detect or block it.
What Websites Can Infer From SSD Activity Patterns
By correlating SSD contention patterns with known workloads, a malicious site can build a map of your digital activity. Repeated measurements of OPFS timing can reveal when other browser tabs load pages, when desktop applications save data, or when background processes become busy. Over time, these changes form fingerprints for specific websites and apps, even though the attacker never sees their network traffic or contents. The research shows that the same mechanism can also act as a covert communication channel between processes sharing the SSD, turning the drive into a silent signaling medium. While FROST does not provide direct access to your documents, it does expose sensitive behavioral metadata: which services you use, how often you use them, and when you are active—information that can enable profiling and cross-site tracking without cookies.
Practical Limitations, Emerging Mitigations, and User Defenses
FROST has constraints, but none are enough to ignore the risk. Long-running measurements need a large OPFS file, which can consume noticeable disk space; a careful user might spot unexplained storage growth tied to a specific site. The attack also works best when the targeted activity uses the same SSD as the browser, so setups with separate drives may blunt app fingerprinting. Researchers suggest several mitigations: restricting how much data OPFS can store, lowering the precision of timing APIs, and warning users when sites reserve unusual amounts of local storage. Browser vendors have responded unevenly—Chromium does not treat fingerprinting as a security bug, while others have only acknowledged the issue so far. For now, users can reduce risk by clearing site storage regularly, limiting long-lived tabs from unknown sites, and monitoring disk usage for suspicious browser-related growth.
