A team of researchers from Georgia Tech, the University of Michigan, and Ruhr University Bochum has developed a novel attack known as “Hot Pixels” that can retrieve pixel information from a target’s browser and infer their navigation history.
This attack takes advantage of data-dependent computation times on modern system-on-a-chip (SoCs) and graphics processing units (GPUs) to extract information from visited web pages, even when side-channel countermeasures are enabled. The researchers found that distinct behavior patterns exhibited by processors, such as power consumption and heat dissipation, can be easily detected through internal sensor measurements, allowing for accurate determination of viewed content with an accuracy rate as high as 94%.
The study specifically focused on analyzing frequency, power, and temperature measurements on various modern devices to map CPU behavior. Passively cooled processors were found to leak information through power and frequency, while actively cooled chips leaked data through temperature and power readings. The researchers conducted experiments using different devices, including Apple M1 chips, Cortex-X1 Arm cores, and Qualcomm Snapdragon 8 Gen 1, and correlated their workloads with distinguishable frequency and power consumption metrics.
They also investigated data-dependent leakage channels on discreet and integrated GPUs, such as Apple’s M1 and M2, AMD Radeon RX 6600, Nvidia GeForce RTX 3060, and Intel Iris Xe.
The “Hot Pixels” attack was tested on the default configurations of Chrome 108 and Safari 16.2, the latest versions available at the time of the study. By constraining the power and temperature of the CPUs, the attack could leak data about the color of pixels displayed on the target’s screen through the processor’s frequency.
This attack mechanism utilized SVG filters to induce data-dependent execution on the target’s CPU or GPU, and JavaScript was used to measure computation time and frequency to infer the pixel color. The researchers employed an iframe element in an attacker-controlled page to steal pixels from an unaffiliated target site, using an SVG filter to compute the iframe’s contents and measure the rendering times.
Although Safari was not vulnerable to the same attack that leaked sensitive data, the researchers discovered a sub-type of the Hot Pixels attack that could compromise user privacy by sniffing their browsing history. By placing links to sensitive pages on an attacker-controlled site and using the SVG filtering technique, the color of hyperlinks could be inferred.
The researchers found that visited sites had different hyperlink colors than those the target had not visited, enabling them to apply the basic Hot Pixels principles to infer the target’s browsing history. The accuracy of the data stolen in this attack reached 99.3% on iPhone 13, with a recovery rate of 183 seconds per 50 hyperlinks.
The researchers disclosed their findings to Apple, Nvidia, AMD, Qualcomm, Intel, and Google in March, and all vendors acknowledged the issues and are actively working to mitigate them.
Proposed solutions include restricting the use of SVG filters on iframes in the HTML standard, implementing cookie isolation mechanisms like those found in Safari to prevent loading cookies on orphan iframes, and restricting unauthorized access to sensors that provide thermal, power, and frequency readings at the operating system level.
