Posted on 01/31/2022 11:33:39 AM PST by ShadowAce
Telling a website to stick its cookies someplace else might not be enough to keep it from tracking you across the web—there are other identifiers that can help narrow down who you are and what you're doing as you travel the silicon superhighway. These techniques rely on tracking the exact configuration of hardware you're running inside your PC, though researchers suggest this form of hardware tracking could be done with even greater accuracy through something known as GPU fingerprinting.
Outlined in a research paper [PDF warning] from co-first authors Tomer Laor of Ben-Gurion University and Naif Mehanna from University Lille, CNRS, and their respective teams (via Bleeping Computer), the technique nicknamed DrawnApart takes advantage of minor differences in a user's GPU behavior to uniquely identify them across the web.
That could lead to persistent tracking by, what the researchers call, "less scrupulous websites" that potentially jeopardises existing privacy protections on the web, such as cookie consent.
The DrawnApart technique works by not only noting the GPU and other hardware in use by a PC, but actually honing in on a given GPU's specific characteristics. In the researchers' own words, "we harness the statistical speed variations of individual EUs in the GPU to uniquely identify a complete system."
To do that, the researchers use WebGL to target the GPU's shaders with a sequence of drawing operations that are designed to be sensitive to differences across individual EUs. The resulting vector, called a trace, contains a sequence of timing measurements that the team have generated.
The differences in the resulting trace information is then able to identify, or fingerprint, different GPUs, even if they're the same make and model.
You can even watch a video of the researchers swapping the CPU of its test machines and the algorithm's tracking accurately maintaining which is which based on integrated graphics alone.
The researchers say they're able to do this with high accuracy: noting a 67% improvement when used in conjunction with existing fingerprinting algorithms, in a test of over 2,500 unique devices and 371,000 fingerprints. That's an improvement in successfully tracking a user from 18 days with the existing FP-STALKER fingerprinting algorithm to 30 days when using the DrawnApart algorithm with it.
"This is a substantial improvement to stateless tracking, obtained through the use of our new fingerprinting method, without making any changes to the permission model or runtime assumptions of the browser fingerprinting adversary," the researchers say. "We believe it raises practical concerns about the privacy of users being subjected to fingerprinting."
Thus DrawnApart could be used to circumvent cookie legislation and protections for user privacy online. That's not lost on the researchers, either, who clearly from the paper believe online privacy is a fundamental right, and who outline how to combat a potential tracking algorithm based on its findings.
Firstly, the technique relies on WebGL to operate, meaning you could simply disable WebGL (or the JavaScript support it requires) to mitigate tracking via this technique. As the researchers note, though, this isn't a great option: "Disabling WebGL, however, would have a non-negligible usability cost, especially considering that many major websites rely on it, including Google Maps, Microsoft Office Online, Amazon and IKEA."
Essentially, you're going to lose access to a lot of websites used by millions of people daily if you disable WebGL outright. Though it is an option.
The researchers also note that the Tor browser runs WebGL in a "minimum compatibility mode", which does prevent access to the ANGLE_instanced_arrays API used by DrawnApart.
Another option to counter DrawnApart, or techniques like it, could be to use a blocking script that prevents access to at-risk resources. Though the researchers don't find these lists to be sufficient in maintaining privacy in all regards.
Then there's the option of altering the values required to track a user, to sort of create a fuzziness in the results that lowers the accuracy of any tracking. That could work, the researchers note, though existing countermeasures to this end from another study by Wu et al. wouldn't be sufficient.
There are options there to mitigate the threat from DrawnApart, but none better than what the researchers outline in the following section: preventing parallel execution, preventing deterministic dispatching, and preventing time measurements.
All three of these combined would do away with DrawnApart's potential threat to online privacy, though it would be in the hands of WebGL and even browser developers to implement each of them in such a way to make them practical and effective. That first bit is important, too, as the researchers note that preventing time measures, for example, is a "futile" task online.
There are also some limitations that should be noted. Mainly that variation in GPU voltage could alter the results, though this wasn't tested.
Yet DrawnApart, and fingerprinting techniques like it, is still a frightful concept to champions of privacy and your average web user alike. Privacy is not to be trifled with, yet the very hardware we're accessing the web with can be used against us to keep track of where we're going and what we're doing. Clearly it's an ongoing battle to keep ahead of the curve with efficient mitigations for privacy-abating techniques such as this, and as researchers point out the holes in the digital battlements, developers rush out to patch them.
"Our fingerprinting technique can tell apart devices that are completely indistinguishable by current state-of-the-art methods, while remaining robust to changing environmental conditions. Our technique works well both on PCs and mobile devices, has a practical offline and online runtime, and does not require access to any extra sensors such as the microphone, camera, or gyroscope," the researchers conclude.
As ever, my advice is to make sure to keep your PC up-to-date. Though if you're majorly worried about tracking across the web, perhaps you might want to consider more drastic measures in this instance, such as doing away with WebGL altogether. Though that could be quite a sacrifice.
In the long-run, more permanent and less intrusive techniques to prevent such tracking could be put in place. The Khronos Group responsible for the WebGL specification has setup a technical study group to discuss the disclosure with browser vendors, while Intel, Arm, Google, Mozilla, and Brave were all shared in on the paper back in 2020.
Sounds like nonsense to me.
I'm hoping they'll actually fix it.
Can’t they just use the MAC id? Anyone who is really concerned can monkey with the settings a touch regularly (resolution, color depth, gaming fps, dedicated memory). One easy way to deal with both is to create a VM and work from the VM.
Doesn’t each processor chip (the CPU hardware) have a unique serial number. Couldn’t that be embedded in various outgoing messages?
I’d say don’t use a computer or phone if you are really concerned about being snooped on. Maybe not mail either. Try to communicate with a wink of the eye.
“One easy way to deal with both is to create a VM and work from the VM.”
VMs are the way to go. On my next computer I want to go with Qubes OS.
and , I don’t care
Tracking my PC won’t do much good. It just sits in my home office, day after day. I don’t even carry my cell phone “religiously”...just when I think I might actually need it.
MAC ids on network and motherboard interfaces are often in EEPROM and capable of override for spoofing purposes. Some vendors use a MAC ID as a license key. That was viable when the manufacturer generated an immutable key for the network interface. That's not the case anymore.
Finding ways to track your activity will be a perpetual cloak and dagger effort. New ones will crop up soon after you've nailed the ones you discovered.
Same with my PC, sits at home and I don’t even own a cell phone.
“Finding ways to track your activity will be a perpetual cloak and dagger effort.”
I think you’re correct. You know more about what’s going on inside those boxes than I do.
My company’s IT department is all the time fiddling with security software and training.
Begs the question of which GPU’s are compromised and how far back. I ask this as I have access to many older GPU’S as well as older rigs starting with the XT.
and if you use a VPN?
MAC IDs can be spoofed.
Privacy & Internet Security are a myth in the 21st Century.
No, it does makes sense: your GPU can run custom code - just like the bitcoin miners use. The timing for different sections can be measured down to the microsecond. If there are consistent timing differences for different sections in the GPU, it’s like a fingerprint.
And if that wasn’t enough, combine that with your CPU+GPU model information, your amount of installed RAM, any peripherals, language, general location and anything else that the browser will provide, it is probably enough to uniquely identify your computer amongst millions.
The fact that you are using such an old GPU will stick out like a sore thumb: your computer will be unlike almost anything else out there. It would be like painting your car psychedelic purple and pink: when they see that, it will uniquely identify YOU. (No one else has a rig like it.)
It’s not a security compromise, it’s a technique to uniquely identify your computer from millions of others on the Internet.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.