SSD Fingerprinting: How Sites Track You Without Cookies

The New Frontier of Browser Tracking

For years, digital privacy has been a cat-and-mouse game between trackers and users. Cookies die, fingerprinting rises, ad blockers adapt. But a newly disclosed technique takes surveillance to a deeper level: analyzing the telltale activity patterns of your computer’s solid-state drive (SSD) using nothing more than simple JavaScript. Researchers have demonstrated that websites can measure how your SSD responds to specific read and write operations, creating a unique hardware signature that persists even when you clear cookies, use incognito mode, or employ a VPN. This method exploits the fact that every SSD has slight manufacturing variances in how its flash memory cells degrade and respond to load, and those variances are measurable from within the browser sandbox.

The technique does not require any special permissions or plugins. It works in all major browsers that support the Performance API and high-resolution timers. By timing how long it takes to write and then read a small amount of data to a temporary file, the JavaScript can infer the physical characteristics of the underlying storage. The researchers found that these timing patterns are stable enough to serve as a reliable identifier across multiple visits. This represents a significant escalation in the arms race of web tracking, moving from software-level fingerprints like screen resolution or installed fonts to hardware-level fingerprints that users cannot easily change.

How the Attack Works

The core of the attack lies in the JavaScript Performance API, specifically the performance.now() method, which provides sub-millisecond timing precision. The script allocates a buffer, fills it with random data, and writes it to a temporary file using the File System Access API. It then reads the file back and measures the elapsed time. Because SSDs use flash memory that operates differently than traditional hard drives, the write and read latencies exhibit distinctive patterns. Factors like the drive’s controller firmware, the type of NAND flash, and the wear leveling algorithm all influence these timing measurements.

Importantly, the technique does not rely on any new browser vulnerability. It uses legitimate APIs designed for web applications to handle offline storage and real-time performance monitoring. The researchers tested the method on dozens of different SSDs from multiple manufacturers, including both SATA and NVMe models, and achieved high accuracy in distinguishing one drive from another. They also demonstrated that the fingerprint remains stable even after the user clears browser data or switches to a different browser on the same machine. The only way to reset the fingerprint is to replace the SSD itself, a drastic step for most users.

Privacy Implications and Industry Response

The discovery has sent ripples through the privacy and security communities. Privacy advocates warn that this technique could be used to build persistent profiles of users across the web without their knowledge or consent. It could also enable state-level surveillance, allowing intelligence agencies to track specific individuals by their hardware fingerprint. Ad networks and data brokers, always hungry for new identifiers, may adopt this method to circumvent existing privacy protections.

Browser vendors have responded cautiously. Some have already begun discussing ways to reduce the precision of high-resolution timers or to add noise to performance measurements. Apple’s Safari team, for instance, has a history of aggressively limiting fingerprinting vectors and may implement mitigations in future releases. Google’s Chrome team faces a harder challenge because many legitimate web applications rely on precise timing for features like real-time analytics and gaming. Any fix that breaks those applications will face pushback from developers. The Electronic Frontier Foundation (EFF) has called for a standardized approach to limit the resolution of performance timers across all browsers, but no consensus has emerged yet.

What This Means for the Future

SSD fingerprinting is a reminder that the fundamental architecture of the web contains unintended surveillance capabilities. As hardware becomes more diverse and browsers expose more system information to JavaScript, the attack surface for tracking expands. Users who want to protect themselves today have limited options. They can disable JavaScript entirely, but that breaks most modern websites. They can use privacy-focused browsers like Brave or Firefox with strict tracking protection, but those protections may not block this specific technique. They can also use browser extensions that spoof timing measurements, but those extensions must be carefully maintained to stay effective.

Looking ahead, the industry must decide whether to accept hardware-level fingerprinting as an inevitable cost of the web platform or to redesign the APIs that enable it. The answer may lie in a combination of technical mitigations and stronger privacy regulations. The European Union’s ePrivacy Regulation and similar laws may need to explicitly address hardware fingerprinting as a form of tracking that requires user consent. For now, SSD fingerprinting is a proof of concept, but its implications are profound. It shows that the line between software and hardware privacy is thinner than we thought, and that the next generation of web tracking may be built on the very silicon we trust to store our data.

Source: Ars Technica