A group of researchers from French, Israeli, and Australian universities investigated the possibility of creating unique fingerprints from people's GPUs and using them for persistent web tracking.
The findings of their large-scale experiment, which involved 2,550 devices with 1,605 different CPU configurations, show that their technique, dubbed 'DrawnApart,' can increase the median tracking duration by 67 percent when compared to current state-of-the-art methods.
This is a serious issue for user privacy, which is currently protected by laws focusing on obtaining consent to activate website cookies.
Because of these laws, unscrupulous websites have begun to collect additional potential fingerprinting elements such as hardware configuration, operating system, timezones, screen resolution, language, fonts, and so on.
This unethical approach is still limited because these elements change frequently, and even when they are stable, they can only assign users to broad categories rather than creating a unique fingerprint.
Identical GPUs are being fingerprinted.
With the help of WebGL, the researchers considered the possibility of creating unique fingerprints based on the GPU (graphics processing unit) of the tracked systems (Web Graphics Library).
WebGL is a cross-platform API for rendering 3D graphics in browsers that are supported by all modern browsers. The DrawnApart tracking system can use this library to count the number and speed of execution units in the GPU, measure the time required to complete vertex renders, handle stall functions, and more.
To overcome the challenge of having random execution units handle the computations, DrawnApart uses short GLSL programmes executed by the target GPU as part of the vertex shader. As a result, workload distribution is predictable and standardized. The team created an on-screen measurement method that performs a small number of computationally intensive operations, as well as an off-screen measurement method that puts the GPU through a longer and less intensive test. This process generates traces made up of 176 measurements taken from 16 points, which are then used to create a fingerprint. Even when evaluating the individual raw traces visually, differences and distinct timing variations between devices can be observed.
The researchers also experimented with swapping out other hardware components on the machines to see if the traces could still be distinguished, and discovered that the fingerprints were solely dependent on the GPU.
Even if a set of integrated circuits is manufactured in the same way, has the same nominal computational power, a number of processing units, and exact same cores and architecture, each circuit is slightly different due to normal manufacturing variability.
In normal day-to-day operations, these distinctions are indistinguishable, but they can be useful in the context of a sophisticated tracking system like DrawnApart, which is specifically designed to trigger functional aspects that highlight them.
Implications and considerations
When DrawnApart is combined with cutting-edge tracking algorithms, the median tracking duration of a targeted user increases by 67%.
As shown in the diagram below, the standalone tracking algorithm can achieve an average tracking time of 17.5 days, but with GPU fingerprinting, this can be extended to 28 days.
Based on the testing conditions, the GPU operational temperature range is between 26.4 °C and 37 °C, with no voltage variations. Workload variations, GPU payloads from other web browser tabs, system restarts, and other runtime changes have no effect on DrawnApart. The next-generation GPU APIs that are currently in development, most notably WebGPU, include computing shaders in addition to the existing graphics pipeline. As a result, the upcoming API may introduce even more ways to fingerprint internet users, as well as much faster and more accurate methods. When the researchers tested compute shaders in the now-defunct WebGL 2.0, they discovered that DrawnApart achieved 98 percent classification accuracy in only 150 milliseconds, much faster than the 8 seconds required to collect fingerprinting data via the WebGL API.
"We believe that once the WebGPU API is widely available, a similar method can be developed. Before enabling accelerated compute APIs globally, the effects on user privacy should be considered "finalizes the research paper Attribute value changes, parallel execution prevention, script blocking, API blocking, and time measurement prevention are all potential countermeasures to this fingerprinting method.
Khronos Group, the developer of the WebGL API, has received the researchers' disclosure and formed a technical study group to discuss potential solutions with browser vendors and other stakeholders. If you have any doubts about the aforementioned issue, please contact us. Please do not hesitate to get in touch with us. Your digital partner will be Airzero Sec.
Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/