Researchers Exploit GPU Fingerprinting to Track Users Online

[AleksandarK]

Online tracking of users happens when 3rd party services collect information about various people and use that to help identify them in the sea of other online persons. This collection of specific information is often called "fingerprinting," and attackers usually exploit it to gain user information. Today, researchers have announced that they managed to use WebGL (Web Graphics Library) to their advantage and create a unique fingerprint for every GPU out there to track users online. This exploit works because every piece of silicon has its own variations and unique characteristics when manufactured, just like each human has a unique fingerprint. Even among the exact processor models, silicon differences make each product distinct. That is the reason why you can not overclock every processor to the same frequency, and binning exists.

What would happen if someone were to precisely explore the differences in GPUs and use those differences to identify online users by those characteristics? This is exactly what researchers that created DrawnApart thought of. Using WebGL, they run a GPU workload that identifies more than 176 measurements across 16 data collection places. This is done using vertex operations in GLSL (OpenGL Shading Language), where workloads are prevented from random distribution on the network of processing units. DrawnApart can measure and record the time to complete vertex renders, record the exact route that the rendering took, handle stall functions, and much more. This enables the framework to give off unique combinations of data turned into fingerprints of GPUs, which can be exploited online. Below you can see the data trace recording of two GPUs (same models) showing variations.



Khronos Group, creators of WebGL API, has set up a working group to handle this situation and prevent the API from giving off too much information to track users online. If you wish to learn more about this technique, you can read it on ArXiv here.

View at TechPowerUp Main Site

 

[zlobby]

That's old. Also, laughs in FF.

 

[DeathtoGnomes]

Why am I not surprised?


Well, I'll tell ya tinhatters, its a secret the NSA has been hiding all this time.

 

[HABO]

Yes, this approach is rly old, we've been using it for a while, I mean few years .

 

[Steevo]

So the few, the weak, the paranoid are using tech to spy on the many, the powerful, thd normal?

Where has the pattern revealed itself before? Spying on people out of paranoid delusional worries....... oh, every modern government does it.

More to the point, why do we allow it without beheading those who invade our privacy? No different than someone peeping in our window.

 

[Space Lynx]

@W1zzard Is this similar to the idea of GPU-Z, when GPU-Z used to be able to determine ASIC quality? Except they take it a step further?

 

[W1zzard]

@W1zzard Is this similar to the idea of GPU-Z, when GPU-Z used to be able to determine ASIC quality? Except they take it a step further?

No, ASIC quality was read from a secret field in the GPU. What they are doing is something different

 

[Vayra86]

So the few, the weak, the paranoid are using tech to spy on the many, the powerful, thd normal?

Where has the pattern revealed itself before? Spying on people out of paranoid delusional worries....... oh, every modern government does it.

More to the point, why do we allow it without beheading those who invade our privacy? No different than someone peeping in our window.

The pattern is human. The desire for control is human, and the idea systems can create that control for us is also a human idea.

Its called the utopia of an engineered society.

Why do we allow it? Because we like control, casually forgetting it also applies to ourselves and often not realizing what the end game is.

 

[windwhirl]

Also, laughs in FF.

Explain.

The pattern is human. The desire for control is human, and the idea systems can create that control for us is also a human idea.

Its called the utopia of an engineered society.

Why do we allow it? Because we like control, casually forgetting it also applies to ourselves and often not realizing what the end game is.

I need a "this" reaction.

 

[piloponth]

Greatest minds of our era working on optimizing ad delivery!
Makes me very sad.

 

[zlobby]

Explain.

Explaining - FF stands for Firefox. Firefox has option to limit WebGL and canvas tracking (fingerprinting). Together with ECH (back then ESNI), DoH, ad and script blockers, and complete site isolation (among others), one can achieve total stealth even from one's own ISP. Add a bit of domain fronting and you can see your FBI agent cry.

These features in FF also make it very secure and very stealthy.

Greatest minds of our era working on optimizing ad delivery!
Makes me very sad.

You call a bunch of flithy coders 'greatest minds of our era'? There are some true geniuses (not talking about the ones in Apple stores) in the Internet era, who most people haven't even heard of.

 

[R0H1T]

Also, laughs in FF.

Why? FF is not immune.

These features in FF also make it very secure and very stealthy.

That's not totally stealth, from what I remember you still need an addon. What's your output here ~

WebGL Browser Report - WebGL Fingerprinting

The WebGL Report is a diagnostic tool to analyze your browser's WebGL support and create a unique WebGL Fingerprint that can potentially identify your web browser. This tool exposes information about your graphics card and other WebGL and GPU capabilities, which can be used to differentiate your...

browserleaks.com

 

[windwhirl]

you still need an addon.

Not really, you can disable it just by going into about:config and setting webgl.disabled to true.

However, that's not the default setting, you need to switch WebGL off manually.

There's also a bunch of other tweaks at Mozilla's wiki:

Privacy/Privacy Task Force/firefox about config privacy tweeks - MozillaWiki

wiki.mozilla.org

 

[R0H1T]

That won't prevent tracking through other ways like canvas, you really need to "fake" the readout.

Canvas Fingerprinting

Canvas fingerprinting is a tracking method that uses HTML5 Canvas code to generate a unique identifier for each individual user. The method is based on the fact that the unique pixels generated through Canvas code can vary depending on the system and browser used, making it possible to identify...

browserleaks.com

Just turning it off is like wearing this.

 

[zlobby]

Why? FF is not immune.

That's not totally stealth, from what I remember you still need an addon. What's your output here ~

WebGL Browser Report - WebGL Fingerprinting

The WebGL Report is a diagnostic tool to analyze your browser's WebGL support and create a unique WebGL Fingerprint that can potentially identify your web browser. This tool exposes information about your graphics card and other WebGL and GPU capabilities, which can be used to differentiate your...

browserleaks.com

Check FF's 'resist fingerprinting option'.

My FF's are so tuned that they are actually unique in a way that they don't reveal any information whatsoever. Sort of how ultraquiet submarines are detected, i.e. by the silence they produce scaring the marine life away.

Next step is fingerprint obfuscation but I don't have the time to do it myself as tech evolve constantly and I simply don't have the time to code it all myself. That being said, there are some addons for FF.

And if you think FF is bad, please be my guest and use anything you like.

 

[R0H1T]

Check FF's 'resist fingerprinting option'.

What's the output on that page? Are you getting different values?

And if you think FF is bad,

FF isn't "bad" but it won't protect you outright like some of their addons (nor to the same extent) & the fingerprint option is not turned on by default anyway.

 

[windwhirl]

That won't prevent tracking through other ways like canvas, you really need to "fake" the readout.

Canvas Fingerprinting

Canvas fingerprinting is a tracking method that uses HTML5 Canvas code to generate a unique identifier for each individual user. The method is based on the fact that the unique pixels generated through Canvas code can vary depending on the system and browser used, making it possible to identify...

browserleaks.com

Just turning it off is like wearing this.

Can't say anything in this one. I also have unique fonts in my computer, so it's easily fingerprintable in my case.

 

[dozenfury]

Before reading the paper I assumed the sample runs would take a long time to run and the slowdown would be noticeable in the wild. But the paper said it only runs for 1.6 seconds in the background, not likely to be something users would ever notice. It also appears to be a lot more accurate than I would have expected. I could see where this method might be attractive for an attacker identifying government/corporate targets where batches of similar hw are purchased together.

Also if 10 University profs with a limited budget can show it's effective, it's a safe bet that the big 3 state intelligence agencies have had it in their toolboxes for a while. Imagining a security agency for China, Russia, or the US running a more advanced version of this at scale on millions of devices is an alarming thought.

So I think this one is good to be aware of and take steps where you can to harden against it. Is it enough of a concern to go a step further and run everything in Torbrowser or a VM sandbox? Eh. To use an analogy, it's a question of how many locks do you put on your front door of your house when the state-level agencies really capable of this (in the wild at scale) can probably climb through an open window.

 

[R0H1T]

big 3 state intelligence agencies have had it in their toolboxes for a while.

That's a bit too Area 51 for me, Webgl fingerprinting has been a thing for at least the last 3-4 years now. It's hardly a secret, you want real secrets try "cheap" zero day exploits on the dark web.

 

[windwhirl]

That's a bit too Area 51 for me, Webgl fingerprinting has been a thing for at least the last 3-4 years now. It's hardly a secret, you want real secrets try "cheap" zero day exploits on the dark web.

Or dumbasses opening Office documents from elsewhere... and enabling macros.

 

[lexluthermiester]

Explaining - FF stands for Firefox. Firefox has option to limit WebGL and canvas tracking (fingerprinting).

Actually, WebGL can be disabled altogether, which I do.

If it's not used, it can't spy on you.

 

[lemonadesoda]

Seems to me that the calculated fingerprint would be very vulnerable to CPU and/or GPU clock/shader tweaking, thermal management, and driver version.

Quick black ops: GPUz could incorporate a randomise clock/shader feature. Every random 1-5minutes adjusting the clock/shaders by -10-+10Hz randomly. Tiny amounts. Totally different fingerprint.

Industry wide solution: GPU manufacturers introduce random nanostutter into drivers. And I do mean nanostutter that would be so small as to not affect performance or benchmarks.

 

[windwhirl]

Can't say anything in this one. I also have unique fonts in my computer, so it's easily fingerprintable in my case.

I just noticed my canvas fingerprint, while unique, it randomizes all the time. So that's one thing out.

Leaves the fonts, though.

 

[Selaya]

I just noticed my canvas fingerprint, while unique, it randomizes all the time. So that's one thing out.

Leaves the fonts, though.

firefox (and derivatives) feature

 

[Dr_b_]

Good thing no one can actually get a GPU, nothing to worry about here