Hot Pixels Attack

Hot Pixels Attack: Revealing Browser History Through Processor Exploitation

Hot Pixels Attack – Researchers from Georgia Tech, the University of Michigan, and Ruhr University Bochum has developed a unique attack known as “Hot Pixels.”

This attack exploits the behavior of modern processors (SoCs and GPUs) to retrieve pixels from a target’s browser and infer their browsing history.

Even with the latest side-channel countermeasures enabled, the attack has proven successful on popular browsers such as Chrome and Safari.

Vulnerable Behaviour Of Modern Processors

Modern processors face challenges in balancing power consumption and heat dissipation while maintaining high execution speeds.

By analyzing frequency, power, and temperature measurements, the researchers discovered that passively cooled processors leak information through power and frequency, while actively cooled chips leak data through temperature and power readings.

Experimented Devices

The “Hot Pixels” attack was tested on the latest versions of Chrome and Safari with side-channel countermeasures enabled.

To test their findings, the researchers mapped the behavior of different processors, including Apple’s M1 chips, Cortex-X1 Arm cores, and Qualcomm Snapdragon 8 Gen 1.

They also investigated data-dependent leakage channels on GPUs such as Apple’s M1 and M2, AMD Radeon RX 6600, Nvidia GeForce RTX 3060, and Intel Iris Xe.

Notably, the AMD Radeon RX 6600 was found to be the most vulnerable device.

Hot Pixels Attack Mechanism

The attack mechanism relied on SVG filters to induce data-dependent execution on the target’s CPU or GPU.

By measuring computation time and frequency using JavaScript, the attack could infer the color of pixels displayed on the target’s screen.

The researchers observed an accuracy ranging from 60% to 94% in their measurements, with the time required for deciphering each pixel ranging from 8.1 to 22.4 seconds.

Hot Pixels Attack - Pixel retrieval results
Pixel retrieval results (Source: arxiv.org)

In simple terms, researchers were able to determine what was shown on the target’s device with up to 94% accuracy.

Compromising The Browsing History On Safari

The researchers found that Safari was not compromised through the previous attacking technique but a sub-type of the Hot Pixels attack compromised the browsing history on Safari.

By placing links to sensitive pages on an attacker-controlled site and using SVG filtering techniques, the attacker could infer the color of visited hyperlinks, thus revealing the target’s browsing history.

Hot pixels attack - browsing history retrieval results
browsing history retrieval results (Source: arxiv.org)

Proposed Mitigations

To address the reported problems, vendors and stakeholders are already engaged in discussions to find solutions.

One proposed solution involves restricting the use of SVG filters on iframes within the HTML standard.

The Chrome team is also working on implementing the cookie isolation mechanism present in Safari, which prevents loading cookies on orphan iframes.

Furthermore, there are proposals to limit unauthorized access to sensors that provide thermal, power, and frequency readings at the operating system level.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

HelloKitty Ransomware Source Code Leaked by Threat Actor

‘Pig Butchering’ A Crypto Scam that Stole Over $1 Million in 3 Months

Sophos Impersonated by New SophosEncrypt: A Disturbing Cybersecurity Incident

Microsoft Addresses 132 Security Flaws, Including Six Under Active Attack