Tuesday, February 1st 2022
Researchers Exploit GPU Fingerprinting to Track Users Online
Online tracking of users happens when 3rd party services collect information about various people and use that to help identify them in the sea of other online persons. This collection of specific information is often called "fingerprinting," and attackers usually exploit it to gain user information. Today, researchers have announced that they managed to use WebGL (Web Graphics Library) to their advantage and create a unique fingerprint for every GPU out there to track users online. This exploit works because every piece of silicon has its own variations and unique characteristics when manufactured, just like each human has a unique fingerprint. Even among the exact processor models, silicon differences make each product distinct. That is the reason why you can not overclock every processor to the same frequency, and binning exists.
What would happen if someone were to precisely explore the differences in GPUs and use those differences to identify online users by those characteristics? This is exactly what researchers that created DrawnApart thought of. Using WebGL, they run a GPU workload that identifies more than 176 measurements across 16 data collection places. This is done using vertex operations in GLSL (OpenGL Shading Language), where workloads are prevented from random distribution on the network of processing units. DrawnApart can measure and record the time to complete vertex renders, record the exact route that the rendering took, handle stall functions, and much more. This enables the framework to give off unique combinations of data turned into fingerprints of GPUs, which can be exploited online. Below you can see the data trace recording of two GPUs (same models) showing variations.
Khronos Group, creators of WebGL API, has set up a working group to handle this situation and prevent the API from giving off too much information to track users online. If you wish to learn more about this technique, you can read it on ArXiv here.
Source:
via Tom's Hardware
What would happen if someone were to precisely explore the differences in GPUs and use those differences to identify online users by those characteristics? This is exactly what researchers that created DrawnApart thought of. Using WebGL, they run a GPU workload that identifies more than 176 measurements across 16 data collection places. This is done using vertex operations in GLSL (OpenGL Shading Language), where workloads are prevented from random distribution on the network of processing units. DrawnApart can measure and record the time to complete vertex renders, record the exact route that the rendering took, handle stall functions, and much more. This enables the framework to give off unique combinations of data turned into fingerprints of GPUs, which can be exploited online. Below you can see the data trace recording of two GPUs (same models) showing variations.
24 Comments on Researchers Exploit GPU Fingerprinting to Track Users Online
Well, I'll tell ya tinhatters, its a secret the NSA has been hiding all this time. :respect:
Where has the pattern revealed itself before? Spying on people out of paranoid delusional worries....... oh, every modern government does it.
More to the point, why do we allow it without beheading those who invade our privacy? No different than someone peeping in our window.
Its called the utopia of an engineered society.
Why do we allow it? Because we like control, casually forgetting it also applies to ourselves and often not realizing what the end game is.
Makes me very sad.
These features in FF also make it very secure and very stealthy.You call a bunch of flithy coders 'greatest minds of our era'? There are some true geniuses (not talking about the ones in Apple stores) in the Internet era, who most people haven't even heard of.
browserleaks.com/webgl
However, that's not the default setting, you need to switch WebGL off manually.
There's also a bunch of other tweaks at Mozilla's wiki:
wiki.mozilla.org/Privacy/Privacy_Task_Force/firefox_about_config_privacy_tweeks
browserleaks.com/canvas
Just turning it off is like wearing this.
My FF's are so tuned that they are actually unique in a way that they don't reveal any information whatsoever. Sort of how ultraquiet submarines are detected, i.e. by the silence they produce scaring the marine life away.
Next step is fingerprint obfuscation but I don't have the time to do it myself as tech evolve constantly and I simply don't have the time to code it all myself. That being said, there are some addons for FF.
And if you think FF is bad, please be my guest and use anything you like. :D
Also if 10 University profs with a limited budget can show it's effective, it's a safe bet that the big 3 state intelligence agencies have had it in their toolboxes for a while. Imagining a security agency for China, Russia, or the US running a more advanced version of this at scale on millions of devices is an alarming thought.
So I think this one is good to be aware of and take steps where you can to harden against it. Is it enough of a concern to go a step further and run everything in Torbrowser or a VM sandbox? Eh. To use an analogy, it's a question of how many locks do you put on your front door of your house when the state-level agencies really capable of this (in the wild at scale) can probably climb through an open window.
If it's not used, it can't spy on you.
Quick black ops: GPUz could incorporate a randomise clock/shader feature. Every random 1-5minutes adjusting the clock/shaders by -10-+10Hz randomly. Tiny amounts. Totally different fingerprint.
Industry wide solution: GPU manufacturers introduce random nanostutter into drivers. And I do mean nanostutter that would be so small as to not affect performance or benchmarks.
Leaves the fonts, though.