Researchers just detailed a technique called FROST that lets any website spy on your hard drive activity using nothing but JavaScript. No downloads, no permissions, just regular browser code that can detect what your SSD is doing in real time.
The attack works by measuring tiny timing variations in how your solid-state drive responds to requests. When your drive is busy with other tasks, like opening an app or saving a file, those delays become detectable patterns that JavaScript can pick up and analyze.
This matters because it breaks a fundamental assumption about browser security. We expect websites to be sandboxed from our local system activity. FROST shows that hardware behavior can leak through that sandbox in ways that are surprisingly easy to exploit.
For anyone running AI tools locally, this is particularly relevant. Training models, processing large datasets, or running inference all create distinctive SSD activity patterns. A malicious site could theoretically detect what AI software you're using or when you're working with sensitive data.
The technique doesn't let attackers read your files directly, but it gives them a side channel to infer what you're doing on your computer while their site is open. That's enough to build profiles, time attacks, or gather intelligence about your workflow.
Browser makers will likely need to add noise or rate limiting to the APIs that make this possible. Until then, the usual advice applies: be mindful of what sites you keep open while doing sensitive work, and consider using separate browser profiles for different tasks.
Ready to apply this tech at your business?
Viking Net helps teams in San Antonio and worldwide stay ahead.