An innovative cyberattack technique known as "Hot Pixel," which targets the complex interactions between graphic processing units (GPUs), contemporary system-on-a-chip (SoC), and browser data, has been discovered through a historic partnership between the University of Michigan, Ruhr University Bochum, and Georgia Tech.
The "Hot Pixel" attack varies from conventional security flaws, as it bypasses modern side-channel defences by taking advantage of data-dependent computation cycles in GPUs and SoCs to steal information from Chrome and Safari browsers.
The inherent difficulties that contemporary processors have in managing power consumption and heat dissipation, especially at high execution rates, served as the foundation for the researchers' finding. This disproportion generates a distinct digital fingerprint that can be recognised and examined.
By removing pixels from the content being displayed in the target's browser, the "Hot Pixel" attack takes advantage of these peculiarities to deduce a device's navigation history. The attackers were able to quickly determine the data being processed by observing how the processor behaved differently under various browsing circumstances.
“The rendered image of a webpage may contain private information that should be isolated from scripts running on the page,” the research paper reads. “Examples include embeddings of cross-domain content through the use of iframe elements, and the rendering of hyperlinks, which indicates whether they have been visited.”
In the Chrome and Safari web browsers, researchers ran several CPU and GPU tests. They were able to steal data based on pixels from Chrome with an accuracy range of 60% to 94%, and it took them between 8.1 and 22.4 seconds to decode each pixel.
Sending cookies to iframe elements is prohibited by Safari's anti-pixel-stealing policy if their origin is different from the parent page of the attacker. However, the researchers found that by burying URLs to sensitive sites on their site, attackers can still exfiltrate the victim's browsing history.
Attackers might simply ascertain whether their victim had previously visited a particular address because links are presented differently if they have been previously viewed.
The researchers suggest the following measures to stop attacks similar to Hot Pixel:
- Minimise devices that are thermally restricted
- Enforce hardware constraints by keeping systems' temperatures within acceptable ranges
- Remove secrets from iframes' visible content by separating cookies from cross-origin iframes
- Get rid of unauthorised access to sensor readings (OS-level mitigation)
