NVMe SSD timing attack bypasses Firefox, Brave, Chrome
Key insights
- The attack fingerprints devices by measuring NVMe SSD timing via standard browser storage APIs, needing no user permissions or malware.
- Physical hardware timing variations make this technique immune to all current anti-fingerprinting mitigations in Firefox, Brave, and Chrome.
- Private browsing mode offers no protection because the attack reads hardware state rather than session or browser configuration data.
Why this matters
Any privacy architecture that treats the browser as the trust boundary is now incomplete, since this attack operates one layer below at physical storage hardware. For founders and product teams shipping privacy-preserving tools or compliance infrastructure, the threat model must now account for storage-layer timing channels that persist even when users take active steps like private browsing. Browser vendors face a non-trivial remediation path: clamping storage API timing precision enough to defeat the attack risks degrading performance-sensitive web applications, meaning the vulnerability window is likely to remain open for an extended period.
Summary
A new browser attack fingerprints users by measuring SSD timing via standard storage APIs, requiring no permissions or plugins.
Researchers confirmed the technique across all major NVMe drives, and it survives private browsing sessions. Firefox, Brave, and Chrome anti-fingerprinting tools all fail because the attack targets physical hardware timing, not software configuration.
Essentially: (Firefox, Brave, Chrome) have no current mitigation against this hardware-layer storage attack.
- Storage-access APIs in every major browser leak SSD timing with enough precision to generate stable, unique device identifiers.
- NVMe manufacturing variance gives each drive a distinct timing signature that persists across full session resets.
- Private browsing provides no defense because hardware state does not clear between visits.
Browser vendors must now weigh restricting storage API timing precision against breaking legitimate web apps that depend on those measurements.
Potential risks and opportunities
Risks
- Ad-tech firms (Trade Desk, LiveRamp) could exploit the technique to re-identify opted-out users in private browsing sessions, creating GDPR and CCPA exposure before any browser patch ships
- Browser vendors (Mozilla, Google, Apple) face regulatory pressure in the EU if the vulnerability persists unpatched while users rely on private browsing for legal protection under data privacy law
- Anti-fingerprinting product vendors (Brave, Mullvad Browser) risk reputational damage as their flagship privacy guarantees are publicly invalidated by a hardware-layer attack they currently have no fix for
Opportunities
- Browser security teams (Mozilla, Google, Apple) that ship a storage API timing mitigation first gain a credible privacy differentiator as media coverage of the attack sustains through the summer
- Security consultancies specializing in web fingerprinting (NCC Group, Bishop Fox) can immediately offer storage-channel assessments to ad-tech compliance teams facing audit exposure from the disclosure
- Hardware vendors could market NVMe SSDs with obfuscated or randomized timing signatures as a privacy countermeasure, opening a product category with no current competition
What we don't know yet
- Whether Mozilla, Google, or Brave have committed to a specific patch timeline for restricting storage API timing precision
- Whether the attack remains viable against cloud-hosted virtual machines where SSD access is shared across tenants and timing noise is significantly higher
- Whether any ad-tech firms or data brokers independently discovered and deployed this technique before its public disclosure
Originally reported by Ars Technica
Read the original article →Original headline: Websites Have a New Way to Spy on Visitors: Analyzing Their SSD Activity — Novel Storage Side-Channel Attack Bypasses Existing Browser Fingerprinting Defenses