The GPU could be used to identify you online, here's how

The GPU could be used to identify you online, here's how

The GPU could be used to identify you online

An international team of researchers from France, Israel and Australia has developed a new technique that can identify individual users based on their specific and unique graphics card signature. Called DrawnApart, the research, provided as a proof of concept, serves as a warning towards more invasive identification measures that websites or malicious actors could take to collect data on individual users' online activities in real time.

The technique is based on the intrinsic variations of the hardware due to the variability of the production processes and of the single components. Just as no human fingerprint is identical to another, no single CPU, GPU or any other consumer item is identical to another. This is part of the reason why CPU and GPU overclocking varies even within the same model by manufacturers. This, in turn, means that there are tiny individual variations in the performance, power, and processing capacity of each graphics card, making this kind of identification possible.

Photo Credit: The model created by the researchers makes use of fixed workloads based on WebGL (web Graphics Library), the cross-platform API that allows graphics cards to render graphics components in browsers. Through it, DrawnApart takes more than 176 measurements across 16 data collection points by performing vertex operations related to GLSL (OpenGL Shading Language), which prevents workloads from being distributed over random work units - making the results repeatable and, as such, individual for each GPU. DrawnApart can then measure the time it takes to complete vertex renders, handle stall functions, and other graphics-specific workloads.

if (jQuery ("# ​​crm_srl-th_hardware_d_mh2_1"). is (": visible")) {console.log ("Edinet ADV adding zone: tag crm_srl-th_hardware_d_mh2_1 slot id: th_hardware_d_mh2"); } According to the research team, this is the first study that explores the variation of semiconductor manufacturing in a privacy context, saying that "on the practical front, it demonstrates a robust technique for distinguishing between machines with identical hardware and software configurations," and added that it can increase “the median duration of tracking to 67% over current state-of-the-art [online fingerprinting] methods.”

Photo Credit: Document explains current implementation can succeed identifies a GPU in just eight seconds, but warns that next-gen APIs in development for the next evolution of the world wide web could enable even faster and more accurate fingerprinting. WebGPU, for example, will feature support for compute shader operations to be performed through the browser. The researchers tested a compute shader approach to its DrawnApart identification process and found that not only was the accuracy enormously increased to 98%, but that it reduced the identification time from 8 seconds through vertex shaders to just 150 milliseconds. with the calculation solution. Potentially, this could mean that a single wrong click on a website could be enough to individually identify consumer GPUs, with all the risks this poses to personal privacy and cybersecurity. Furthermore, the legislation and protections on online tracking practices are mostly incompetent in protecting users from this particular technique.

Khronos, the non-profit organization responsible for developing the WebGL library, has already formed a technical group that is exploring solutions to mitigate the technique. The research team in its paper has already outlined some potential solutions for the problem (including preventing parallel execution, attribute value changes, script blocking, API blocking, and preventing time measurement) that will likely be explored by the organization in an attempt to curb this potential assault on online user privacy.

Your graphics card could be used to track you across the web regardless of cookie consent

Audio player loading…

Telling a website to stick its cookies someplace else might not be enough to keep it from tracking you across the web—there are other identifiers that can help narrow down who you are and what you're doing as you travel the silicon superhighway. These techniques rely on tracking the exact configuration of hardware you're running inside your PC, though researchers suggest this form of hardware tracking could be done with even greater accuracy through something known as GPU fingerprinting.

Outlined in a research paper [PDF warning] from co-first authors Tomer Laor of Ben-Gurion University and Naif Mehanna from University Lille, CNRS, and their respective teams (via Bleeping Computer), the technique nicknamed DrawnApart takes advantage of minor differences in a user's GPU behavior to uniquely identify them across the web.

That could lead to persistent tracking by, what the researchers call, 'less scrupulous websites' that potentially jeopardises existing privacy protections on the web, such as cookie consent.

The DrawnApart technique works by not only noting the GPU and other hardware in use by a PC, but actually honing in on a given GPU's specific characteristics. In the researchers' own words, 'we harness the statistical speed variations of individual EUs in the GPU to uniquely identify a complete system.'

To do that, the researchers use WebGL to target the GPU's shaders with a sequence of drawing operations that are designed to be sensitive to differences across individual EUs. The resulting vector, called a trace, contains a sequence of timing measurements that the team have generated. 

The differences in the resulting trace information is then able to identify, or fingerprint, different GPUs, even if they're the same make and model.

You can even watch a video of the researchers swapping the CPU of its test machines and the algorithm's tracking accurately maintaining which is which based on integrated graphics alone.

These are raw traces from the study for two different Intel Gen 3 computers. (Image credit: Tomer Laor, Naif Mehanna)

The researchers say they're able to do this with high accuracy: noting a 67% improvement when used in conjunction with existing fingerprinting algorithms, in a test of over 2,500 unique devices and 371,000 fingerprints. That's an improvement in successfully tracking a user from 18 days with the existing FP-STALKER fingerprinting algorithm to 30 days when using the DrawnApart algorithm with it.

'This is a substantial improvement to stateless tracking, obtained through the use of our new fingerprinting method, without making any changes to the permission model or runtime assumptions of the browser fingerprinting adversary,' the researchers say. 'We believe it raises practical concerns about the privacy of users being subjected to fingerprinting.'

The average tracking time increases significantly once DrawnApart is used. (Image credit: Tomer Laor, Naif Mehanna)

Thus DrawnApart could be used to circumvent cookie legislation and protections for user privacy online. That's not lost on the researchers, either, who clearly from the paper believe online privacy is a fundamental right, and who outline how to combat a potential tracking algorithm based on its findings.

Firstly, the technique relies on WebGL to operate, meaning you could simply disable WebGL (or the JavaScript support it requires) to mitigate tracking via this technique. As the researchers note, though, this isn't a great option: 'Disabling WebGL, however, would have a non-negligible usability cost, especially considering that many major websites rely on it, including Google Maps, Microsoft Office Online, Amazon and IKEA.'

Essentially, you're going to lose access to a lot of websites used by millions of people daily if you disable WebGL outright. Though it is an option.

The researchers also note that the Tor browser runs WebGL in a 'minimum compatibility mode', which does prevent access to the ANGLE_instanced_arrays API used by DrawnApart.

Another option to counter DrawnApart, or techniques like it, could be to use a blocking script that prevents access to at-risk resources. Though the researchers don't find these lists to be sufficient in maintaining privacy in all regards.

Then there's the option of altering the values required to track a user, to sort of create a fuzziness in the results that lowers the accuracy of any tracking. That could work, the researchers note, though existing countermeasures to this end from another study by Wu et al. wouldn't be sufficient.

Nvidia RTX 3060

The key to DrawnApart is in measuring the use of the actual shader cores within the GPU by an API. (Image credit: Nvidia)

There are options there to mitigate the threat from DrawnApart, but none better than what the researchers outline in the following section: preventing parallel execution, preventing deterministic dispatching, and preventing time measurements.

All three of these combined would do away with DrawnApart's potential threat to online privacy, though it would be in the hands of WebGL and even browser developers to implement each of them in such a way to make them practical and effective. That first bit is important, too, as the researchers note that preventing time measures, for example, is a 'futile' task online.

There are also some limitations that should be noted. Mainly that variation in GPU voltage could alter the results, though this wasn't tested.

Yet DrawnApart, and fingerprinting techniques like it, is still a frightful concept to champions of privacy and your average web user alike. Privacy is not to be trifled with, yet the very hardware we're accessing the web with can be used against us to keep track of where we're going and what we're doing. Clearly it's an ongoing battle to keep ahead of the curve with efficient mitigations for privacy-abating techniques such as this, and as researchers point out the holes in the digital battlements, developers rush out to patch them.

'Our fingerprinting technique can tell apart devices that are completely indistinguishable by current state-of-the-art methods, while remaining robust to changing environmental conditions. Our technique works well both on PCs and mobile devices, has a practical offline and online runtime, and does not require access to any extra sensors such as the microphone, camera, or gyroscope,' the researchers conclude.

As ever, my advice is to make sure to keep your PC up-to-date. Though if you're majorly worried about tracking across the web, perhaps you might want to consider more drastic measures in this instance, such as doing away with WebGL altogether. Though that could be quite a sacrifice. 

In the long-run, more permanent and less intrusive techniques to prevent such tracking could be put in place. The Khronos Group responsible for the WebGL specification has setup a technical study group to discuss the disclosure with browser vendors, while Intel, Arm, Google, Mozilla, and Brave were all shared in on the paper back in 2020.

Powered by Blogger.