Researchers develop "Hot Pixel" malware using sensor and browser data

[vtqhtr413]

Content source

https://www.bleepingcomputer.com/news/security/hot-pixels-attack-checks-cpu-temp-power-changes-to-steal-data/

A team of researchers at Georgia Tech, the University of Michigan, and Ruhr University Bochum have developed a novel attack called "Hot Pixels," which can retrieve pixels from the content displayed in the target's browser and infer the navigation history. The attack exploits data-dependent computation times on modern system-on-a-chip (SoCs) and graphics processing units (GPUs) and applies them to stealthily extract information from visited web pages on Chrome and Safari, even if with the latest side-channel countermeasures enabled.

The researchers found that modern processors struggle to balance power consumption requirements and heat dissipation limitations with high execution speeds. This leads to distinct behavior patterns that point to specific instructions and operations. These patterns are easily detectable through internal sensor measurements that are often accessible through software and, depending on the device type, can help discern what is viewed on the target device with an accuracy as high as 94%.By analyzing frequency, power, and temperature measurements on modern devices, the researchers concluded that passively cooled processors could leak information via power and frequency, while actively cooled chips leak data through temperature and power readings.

 

[Andy Ful]

From the original article ( https://arxiv.org/pdf/2305.12784.pdf ):

Next, as access to internal frequency, power, and temperature sensors remains open to unprivileged users in most platforms, we can exploit these for mounting website fingerprinting attacks using native code running on the target device.

So, the attack would require the following:

1. Installing the malware in the system.
2. Installing (by malware) special software to monitor and collect the data from internal frequency, power, and temperature sensors.

Nowadays, in popular attacks, point 2 is replaced by the installation of malware that can collect screenshots, or injects the code into the web browser's processes, etc.
The method described in the article does not need such techniques (0 interaction with web browser content).

Software-based Mitigations. One mitigation for pixelstealing attacks is to isolate cookies from cross-origin iframes, enforcing all content displayed in iframes not to contain secrets. Such mitigation is already deployed in Safari [70], and is currently under consideration by Chrome developers. More systematically, although it requires a specification change to the HTML standard, prohibiting SVG filters from being applied to iframes or hyperlinks would mitigate both pixel stealing and history sniffing attacks. Finally, our website fingerprinting attack can be mitigated by OS vendors removing unprivileged access to sensor readings.

 

[HarborFront]

Would disabling the sensors in the browser helps?

 

[Andy Ful]

Would disabling the sensors in the browser helps?

Anything that can significantly disturb the normal data related to frequency, power, and temperature sensors, will make this attack unusable. But, the authors did not test the attack on custom configurations. So, we do not know which custom settings can help to prevent this attack.

 

[HarborFront]

Anything that can significantly disturb the normal data related to frequency, power, and temperature sensors, will make this attack unusable. But, the authors did not test the attack on custom configurations. So, we do not know which custom settings can help to prevent this attack.

You can disable sensor setting in the browser. But not sure what sensors it covered.

 

[Andy Ful]

You can disable sensor setting in the browser. But not sure what sensors it covered.

In Edge, the frequency, power, and temperature sensors cannot be changed. This is probably true for most web browsers. But there are some devices that can monitor sensors, communicate via LAN, and being read via web browsers. Anyway, this is not the same scenario as in the OP.