Tuesday, February 1st 2022

Researchers Exploit GPU Fingerprinting to Track Users Online

Online tracking of users happens when 3rd party services collect information about various people and use that to help identify them in the sea of other online persons. This collection of specific information is often called "fingerprinting," and attackers usually exploit it to gain user information. Today, researchers have announced that they managed to use WebGL (Web Graphics Library) to their advantage and create a unique fingerprint for every GPU out there to track users online. This exploit works because every piece of silicon has its own variations and unique characteristics when manufactured, just like each human has a unique fingerprint. Even among the exact processor models, silicon differences make each product distinct. That is the reason why you can not overclock every processor to the same frequency, and binning exists.

What would happen if someone were to precisely explore the differences in GPUs and use those differences to identify online users by those characteristics? This is exactly what researchers that created DrawnApart thought of. Using WebGL, they run a GPU workload that identifies more than 176 measurements across 16 data collection places. This is done using vertex operations in GLSL (OpenGL Shading Language), where workloads are prevented from random distribution on the network of processing units. DrawnApart can measure and record the time to complete vertex renders, record the exact route that the rendering took, handle stall functions, and much more. This enables the framework to give off unique combinations of data turned into fingerprints of GPUs, which can be exploited online. Below you can see the data trace recording of two GPUs (same models) showing variations.
Khronos Group, creators of WebGL API, has set up a working group to handle this situation and prevent the API from giving off too much information to track users online. If you wish to learn more about this technique, you can read it on ArXiv here.
Source: via Tom's Hardware
Add your own comment

24 Comments on Researchers Exploit GPU Fingerprinting to Track Users Online

#1
zlobby
That's old. Also, laughs in FF.
Posted on Reply
#2
DeathtoGnomes
Why am I not surprised?


Well, I'll tell ya tinhatters, its a secret the NSA has been hiding all this time. :respect:
Posted on Reply
#3
HABO
Yes, this approach is rly old, we've been using it for a while, I mean few years :D.
Posted on Reply
#4
Steevo
So the few, the weak, the paranoid are using tech to spy on the many, the powerful, thd normal?

Where has the pattern revealed itself before? Spying on people out of paranoid delusional worries....... oh, every modern government does it.

More to the point, why do we allow it without beheading those who invade our privacy? No different than someone peeping in our window.
Posted on Reply
#5
Space Lynx
Astronaut
@W1zzard Is this similar to the idea of GPU-Z, when GPU-Z used to be able to determine ASIC quality? Except they take it a step further?
Posted on Reply
#6
W1zzard
CallandorWoT@W1zzard Is this similar to the idea of GPU-Z, when GPU-Z used to be able to determine ASIC quality? Except they take it a step further?
No, ASIC quality was read from a secret field in the GPU. What they are doing is something different
Posted on Reply
#7
Vayra86
SteevoSo the few, the weak, the paranoid are using tech to spy on the many, the powerful, thd normal?

Where has the pattern revealed itself before? Spying on people out of paranoid delusional worries....... oh, every modern government does it.

More to the point, why do we allow it without beheading those who invade our privacy? No different than someone peeping in our window.
The pattern is human. The desire for control is human, and the idea systems can create that control for us is also a human idea.

Its called the utopia of an engineered society.

Why do we allow it? Because we like control, casually forgetting it also applies to ourselves and often not realizing what the end game is.
Posted on Reply
#8
windwhirl
zlobbyAlso, laughs in FF.
Explain.
Vayra86The pattern is human. The desire for control is human, and the idea systems can create that control for us is also a human idea.

Its called the utopia of an engineered society.

Why do we allow it? Because we like control, casually forgetting it also applies to ourselves and often not realizing what the end game is.
I need a "this" reaction.
Posted on Reply
#9
piloponth
Greatest minds of our era working on optimizing ad delivery!
Makes me very sad.
Posted on Reply
#10
zlobby
windwhirlExplain.
Explaining - FF stands for Firefox. Firefox has option to limit WebGL and canvas tracking (fingerprinting). Together with ECH (back then ESNI), DoH, ad and script blockers, and complete site isolation (among others), one can achieve total stealth even from one's own ISP. Add a bit of domain fronting and you can see your FBI agent cry.

These features in FF also make it very secure and very stealthy.
piloponthGreatest minds of our era working on optimizing ad delivery!
Makes me very sad.
You call a bunch of flithy coders 'greatest minds of our era'? There are some true geniuses (not talking about the ones in Apple stores) in the Internet era, who most people haven't even heard of.
Posted on Reply
#11
R0H1T
zlobbyAlso, laughs in FF.
Why? FF is not immune.
zlobbyThese features in FF also make it very secure and very stealthy.
That's not totally stealth, from what I remember you still need an addon. What's your output here ~
browserleaks.com/webgl
Posted on Reply
#13
R0H1T
That won't prevent tracking through other ways like canvas, you really need to "fake" the readout.
browserleaks.com/canvas

Just turning it off is like wearing this.
Posted on Reply
#14
zlobby
R0H1TWhy? FF is not immune.

That's not totally stealth, from what I remember you still need an addon. What's your output here ~
browserleaks.com/webgl
Check FF's 'resist fingerprinting option'.

My FF's are so tuned that they are actually unique in a way that they don't reveal any information whatsoever. Sort of how ultraquiet submarines are detected, i.e. by the silence they produce scaring the marine life away.

Next step is fingerprint obfuscation but I don't have the time to do it myself as tech evolve constantly and I simply don't have the time to code it all myself. That being said, there are some addons for FF.

And if you think FF is bad, please be my guest and use anything you like. :D
Posted on Reply
#15
R0H1T
zlobbyCheck FF's 'resist fingerprinting option'.
What's the output on that page? Are you getting different values?
zlobbyAnd if you think FF is bad,
FF isn't "bad" but it won't protect you outright like some of their addons (nor to the same extent) & the fingerprint option is not turned on by default anyway.
Posted on Reply
#16
windwhirl
R0H1TThat won't prevent tracking through other ways like canvas, you really need to "fake" the readout.
browserleaks.com/canvas

Just turning it off is like wearing this.
Can't say anything in this one. I also have unique fonts in my computer, so it's easily fingerprintable in my case.
Posted on Reply
#17
dozenfury
Before reading the paper I assumed the sample runs would take a long time to run and the slowdown would be noticeable in the wild. But the paper said it only runs for 1.6 seconds in the background, not likely to be something users would ever notice. It also appears to be a lot more accurate than I would have expected. I could see where this method might be attractive for an attacker identifying government/corporate targets where batches of similar hw are purchased together.

Also if 10 University profs with a limited budget can show it's effective, it's a safe bet that the big 3 state intelligence agencies have had it in their toolboxes for a while. Imagining a security agency for China, Russia, or the US running a more advanced version of this at scale on millions of devices is an alarming thought.

So I think this one is good to be aware of and take steps where you can to harden against it. Is it enough of a concern to go a step further and run everything in Torbrowser or a VM sandbox? Eh. To use an analogy, it's a question of how many locks do you put on your front door of your house when the state-level agencies really capable of this (in the wild at scale) can probably climb through an open window.
Posted on Reply
#18
R0H1T
dozenfurybig 3 state intelligence agencies have had it in their toolboxes for a while.
That's a bit too Area 51 for me, Webgl fingerprinting has been a thing for at least the last 3-4 years now. It's hardly a secret, you want real secrets try "cheap" zero day exploits on the dark web.
Posted on Reply
#19
windwhirl
R0H1TThat's a bit too Area 51 for me, Webgl fingerprinting has been a thing for at least the last 3-4 years now. It's hardly a secret, you want real secrets try "cheap" zero day exploits on the dark web.
Or dumbasses opening Office documents from elsewhere... and enabling macros.
Posted on Reply
#20
lexluthermiester
zlobbyExplaining - FF stands for Firefox. Firefox has option to limit WebGL and canvas tracking (fingerprinting).
Actually, WebGL can be disabled altogether, which I do.

If it's not used, it can't spy on you.
Posted on Reply
#21
lemonadesoda
Seems to me that the calculated fingerprint would be very vulnerable to CPU and/or GPU clock/shader tweaking, thermal management, and driver version.

Quick black ops: GPUz could incorporate a randomise clock/shader feature. Every random 1-5minutes adjusting the clock/shaders by -10-+10Hz randomly. Tiny amounts. Totally different fingerprint.

Industry wide solution: GPU manufacturers introduce random nanostutter into drivers. And I do mean nanostutter that would be so small as to not affect performance or benchmarks.
Posted on Reply
#22
windwhirl
windwhirlCan't say anything in this one. I also have unique fonts in my computer, so it's easily fingerprintable in my case.
I just noticed my canvas fingerprint, while unique, it randomizes all the time. So that's one thing out.

Leaves the fonts, though.
Posted on Reply
#23
Selaya
windwhirlI just noticed my canvas fingerprint, while unique, it randomizes all the time. So that's one thing out.

Leaves the fonts, though.
firefox (and derivatives) feature
Posted on Reply
#24
Dr_b_
Good thing no one can actually get a GPU, nothing to worry about here
Posted on Reply
Add your own comment
Dec 21st, 2024 22:49 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts