The FROST attack: how SSD access delays expose users’ activity
The FROST attack is a side-channel vulnerability that exploits SSD access timing delays to remotely track user activity through a web browser. By leveraging the origin private file system (OPFS) feature, a malicious website can monitor SSD latency patterns to infer which applications are launched and which websites are visited, even across different browsers. This attack does not require malware installation and works despite standard browser sandboxing. However, it is slow, noisy, and requires continuous monitoring with large OPFS file usage, which is likely to be detected by security solutions. The attack is mainly practical for highly targeted surveillance rather than broad exploitation.
AI Analysis
Technical Summary
FROST (Fingerprinting Remotely using OPFS-based SSD Timing) is a side-channel attack discovered by Austrian researchers that uses SSD access delays to fingerprint user activity. It exploits the origin private file system (OPFS), a legitimate browser feature that stores data on the SSD, to measure microscopic delays caused by contention on the SSD bandwidth. By continuously bombarding the SSD with data requests from a malicious webpage, attackers can detect distinct latency patterns corresponding to specific websites and locally running applications. Using AI to analyze these patterns, the attack achieves up to 96% accuracy in identifying app launches and 89% accuracy for website visits, even in different browsers. The attack does not require breaking browser sandboxing or installing malware but depends on forcing large OPFS file usage, which is likely to trigger detection by endpoint security tools. Due to the complexity and resource demands, FROST is mainly a concern for highly targeted espionage rather than widespread attacks.
Potential Impact
The FROST attack can leak information about user activity, including which applications are launched and which websites are visited, by remotely monitoring SSD access delays via a malicious webpage. This information leak can compromise user privacy and enable profiling without installing malware. However, the attack does not directly expose sensitive data or credentials. Its practical impact is limited by the need for sustained monitoring, large OPFS file usage, and the likelihood of detection by endpoint detection and response (EDR) or extended detection and response (XDR) solutions. It is primarily a privacy risk relevant to high-value targeted surveillance.
Mitigation Recommendations
No official patch or vendor advisory is currently available for the FROST attack. Since the attack relies on the origin private file system (OPFS) feature in browsers, users and administrators should monitor for anomalous high OPFS storage usage by websites, which may indicate exploitation attempts. Endpoint detection and response (EDR) and extended detection and response (XDR) solutions are likely to flag the aggressive SSD usage patterns required by this attack. Users should avoid visiting untrusted or suspicious websites. Browser vendors and SSD manufacturers may need to consider mitigations in future updates to limit timing side channels via OPFS or SSD access patterns. Patch status is not yet confirmed — check vendor advisories for updates.
The FROST attack: how SSD access delays expose users’ activity
Description
The FROST attack is a side-channel vulnerability that exploits SSD access timing delays to remotely track user activity through a web browser. By leveraging the origin private file system (OPFS) feature, a malicious website can monitor SSD latency patterns to infer which applications are launched and which websites are visited, even across different browsers. This attack does not require malware installation and works despite standard browser sandboxing. However, it is slow, noisy, and requires continuous monitoring with large OPFS file usage, which is likely to be detected by security solutions. The attack is mainly practical for highly targeted surveillance rather than broad exploitation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FROST (Fingerprinting Remotely using OPFS-based SSD Timing) is a side-channel attack discovered by Austrian researchers that uses SSD access delays to fingerprint user activity. It exploits the origin private file system (OPFS), a legitimate browser feature that stores data on the SSD, to measure microscopic delays caused by contention on the SSD bandwidth. By continuously bombarding the SSD with data requests from a malicious webpage, attackers can detect distinct latency patterns corresponding to specific websites and locally running applications. Using AI to analyze these patterns, the attack achieves up to 96% accuracy in identifying app launches and 89% accuracy for website visits, even in different browsers. The attack does not require breaking browser sandboxing or installing malware but depends on forcing large OPFS file usage, which is likely to trigger detection by endpoint security tools. Due to the complexity and resource demands, FROST is mainly a concern for highly targeted espionage rather than widespread attacks.
Potential Impact
The FROST attack can leak information about user activity, including which applications are launched and which websites are visited, by remotely monitoring SSD access delays via a malicious webpage. This information leak can compromise user privacy and enable profiling without installing malware. However, the attack does not directly expose sensitive data or credentials. Its practical impact is limited by the need for sustained monitoring, large OPFS file usage, and the likelihood of detection by endpoint detection and response (EDR) or extended detection and response (XDR) solutions. It is primarily a privacy risk relevant to high-value targeted surveillance.
Mitigation Recommendations
No official patch or vendor advisory is currently available for the FROST attack. Since the attack relies on the origin private file system (OPFS) feature in browsers, users and administrators should monitor for anomalous high OPFS storage usage by websites, which may indicate exploitation attempts. Endpoint detection and response (EDR) and extended detection and response (XDR) solutions are likely to flag the aggressive SSD usage patterns required by this attack. Users should avoid visiting untrusted or suspicious websites. Browser vendors and SSD manufacturers may need to consider mitigations in future updates to limit timing side channels via OPFS or SSD access patterns. Patch status is not yet confirmed — check vendor advisories for updates.
Technical Details
- Article Source
- {"url":"https://www.kaspersky.com/blog/frost-fingerprinting-attack/55970/","fetched":true,"fetchedAt":"2026-06-11T15:52:55.790Z","wordCount":2184}
Threat ID: 6a2ad9ec815e7002b802cd7d
Added to database: 6/11/2026, 3:53:16 PM
Last enriched: 6/11/2026, 3:53:24 PM
Last updated: 6/11/2026, 3:53:36 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.