Posted on 01/31/2022 11:33:39 AM PST by ShadowAce
Telling a website to stick its cookies someplace else might not be enough to keep it from tracking you across the web—there are other identifiers that can help narrow down who you are and what you're doing as you travel the silicon superhighway. These techniques rely on tracking the exact configuration of hardware you're running inside your PC, though researchers suggest this form of hardware tracking could be done with even greater accuracy through something known as GPU fingerprinting.
Outlined in a research paper [PDF warning] from co-first authors Tomer Laor of Ben-Gurion University and Naif Mehanna from University Lille, CNRS, and their respective teams (via Bleeping Computer), the technique nicknamed DrawnApart takes advantage of minor differences in a user's GPU behavior to uniquely identify them across the web.
That could lead to persistent tracking by, what the researchers call, "less scrupulous websites" that potentially jeopardises existing privacy protections on the web, such as cookie consent.
The DrawnApart technique works by not only noting the GPU and other hardware in use by a PC, but actually honing in on a given GPU's specific characteristics. In the researchers' own words, "we harness the statistical speed variations of individual EUs in the GPU to uniquely identify a complete system."
To do that, the researchers use WebGL to target the GPU's shaders with a sequence of drawing operations that are designed to be sensitive to differences across individual EUs. The resulting vector, called a trace, contains a sequence of timing measurements that the team have generated.
The differences in the resulting trace information is then able to identify, or fingerprint, different GPUs, even if they're the same make and model.
You can even watch a video of the researchers swapping the CPU of its test machines and the algorithm's tracking accurately maintaining which is which based on integrated graphics alone.
The researchers say they're able to do this with high accuracy: noting a 67% improvement when used in conjunction with existing fingerprinting algorithms, in a test of over 2,500 unique devices and 371,000 fingerprints. That's an improvement in successfully tracking a user from 18 days with the existing FP-STALKER fingerprinting algorithm to 30 days when using the DrawnApart algorithm with it.
"This is a substantial improvement to stateless tracking, obtained through the use of our new fingerprinting method, without making any changes to the permission model or runtime assumptions of the browser fingerprinting adversary," the researchers say. "We believe it raises practical concerns about the privacy of users being subjected to fingerprinting."
Thus DrawnApart could be used to circumvent cookie legislation and protections for user privacy online. That's not lost on the researchers, either, who clearly from the paper believe online privacy is a fundamental right, and who outline how to combat a potential tracking algorithm based on its findings.
Firstly, the technique relies on WebGL to operate, meaning you could simply disable WebGL (or the JavaScript support it requires) to mitigate tracking via this technique. As the researchers note, though, this isn't a great option: "Disabling WebGL, however, would have a non-negligible usability cost, especially considering that many major websites rely on it, including Google Maps, Microsoft Office Online, Amazon and IKEA."
Essentially, you're going to lose access to a lot of websites used by millions of people daily if you disable WebGL outright. Though it is an option.
The researchers also note that the Tor browser runs WebGL in a "minimum compatibility mode", which does prevent access to the ANGLE_instanced_arrays API used by DrawnApart.
Another option to counter DrawnApart, or techniques like it, could be to use a blocking script that prevents access to at-risk resources. Though the researchers don't find these lists to be sufficient in maintaining privacy in all regards.
Then there's the option of altering the values required to track a user, to sort of create a fuzziness in the results that lowers the accuracy of any tracking. That could work, the researchers note, though existing countermeasures to this end from another study by Wu et al. wouldn't be sufficient.
There are options there to mitigate the threat from DrawnApart, but none better than what the researchers outline in the following section: preventing parallel execution, preventing deterministic dispatching, and preventing time measurements.
All three of these combined would do away with DrawnApart's potential threat to online privacy, though it would be in the hands of WebGL and even browser developers to implement each of them in such a way to make them practical and effective. That first bit is important, too, as the researchers note that preventing time measures, for example, is a "futile" task online.
There are also some limitations that should be noted. Mainly that variation in GPU voltage could alter the results, though this wasn't tested.
Yet DrawnApart, and fingerprinting techniques like it, is still a frightful concept to champions of privacy and your average web user alike. Privacy is not to be trifled with, yet the very hardware we're accessing the web with can be used against us to keep track of where we're going and what we're doing. Clearly it's an ongoing battle to keep ahead of the curve with efficient mitigations for privacy-abating techniques such as this, and as researchers point out the holes in the digital battlements, developers rush out to patch them.
"Our fingerprinting technique can tell apart devices that are completely indistinguishable by current state-of-the-art methods, while remaining robust to changing environmental conditions. Our technique works well both on PCs and mobile devices, has a practical offline and online runtime, and does not require access to any extra sensors such as the microphone, camera, or gyroscope," the researchers conclude.
As ever, my advice is to make sure to keep your PC up-to-date. Though if you're majorly worried about tracking across the web, perhaps you might want to consider more drastic measures in this instance, such as doing away with WebGL altogether. Though that could be quite a sacrifice.
In the long-run, more permanent and less intrusive techniques to prevent such tracking could be put in place. The Khronos Group responsible for the WebGL specification has setup a technical study group to discuss the disclosure with browser vendors, while Intel, Arm, Google, Mozilla, and Brave were all shared in on the paper back in 2020.
VPN won’t help at all, unfortunately, because it is something that is independent of your TCP/IP connection.
Imagine if I held a bright Red, Pink & Purple umbrella with distinctive stripes and polka dots. Then I don a mask (like using VPN). People won’t know who’s under the mask, but when they see the umbrella, they’ll know it’s the same person as last time: that’s what advertisers want to know. And they’ll be able to track you (okay, I mean your computer - not you as an individual) across websites unless you disable JavaScript.
Our customer demands security scans of all software that will be delivered for use and a clean bill of health from a security perspective. The tools we use are maintained by a reputable supplier that keeps the scanner up to date with all the published vulnerabilities and adds heuristics to look for additional flaws. Anything flagged must be fixed before delivery.
“The tools we use are maintained by a reputable supplier”
Ah but human accidents and sabotage happen so, well, it’s job security for you guys. Multiple cats chasing multiple mice, huh?
What percentage of security breaches begin with human error?
“Another option to counter DrawnApart, or techniques like it, could be to use a blocking script that prevents access to at-risk resources.”
I keep sharing it and no one listens. “ NoScript “ just works and blocks everything by default yet lets you selectively turn on only the bare minimum to make a page work.
I’ve been using NoScript for years now. While it may be somewhat inconvenient, I’ve gotten used to the way my browser now works with it. It also lets me know which sites to avoid in general.
Yep, absolutely. If I can’t get the basic site script JS that makes the buttons work, or lets me read it using the first option in the list I just move on.
It really opens your eyes to how many hidden 3rd party tracking and fingerprinting scripts there really are on a lot of these sites.
After you use it you learn what is safe to use yet still block the other 25-50 scripts. What I really like is that you can actually block all the Google services on almost all sites without them breaking.
But some are now tying them to together, if you don’t allow the google then nothing will work. As you say, then just move on and find what you want elsewhere that is not pulling this game.
Another fringe benefit positive I have found with NoScript is that it happens to get around a lot of paywalls because the cover page or pop up is further down the inline stack and blocked as a separate item in NoScript. :)
If you are identified as a dissident, they will find many ways to track your public utterances of Wrongthink.
Know what else Ace? I like being able to click these items and go use “Blacklight”. It is extremely exposing with what these are actually doing.
I don't have hard numbers, but practical experience deploying website updates that failed was most often attributable to a failure to get some software settings correct on the deployment. At the coding level, failure to check return values, failure to initialize variables before using them, using memory that has been freed, failing to free memory after use, reading/writing off the end of an array, returning a reference to a local variable. Little stuff. The class of tools emulating the early "lint" for C is helpful for finding problems in source code. At runtime, tools like purify or valgrind expose memory misuse, but only if the code is executed. Code coverage analyzers track lines of code actually executed so your test cases can be improved to run all of the code and help purify or valgrind report a problem. When it's all "done", source code analysis with tools such as fortify driven with known defect databases look for the odd stuff.
Modern software depends on a lot of reuse of other people's work. A defect widely shared gets reported as a Common Vulnerability Enumeration (CVE) with a description of how to replicate the defect, how to exploit it and what release of the commonly shared library has been posted with a fix for the problem.
Between security and regular development, there is plenty of work in the queue.
If you want privacy get a dog.
;-)
“Modern software depends on a lot of reuse of other people’s work.”
The understatement of the year, but it has to be that way.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.