Researchers say your GPU could be exposing private information online
In an age of heightened online privacy awareness, many of us are aware of our digital fingerprints and prefer not to be tracked. However, it may not be as simple as it seemed before.
An international team of researchers has discovered that users can be tracked by their graphics cards. This is done through a new technique called “GPU fingerprinting”.
This new technology, named DrawnApart by the researchers and first reported by Bleeping Computer, relies on the tiny differences between each piece of hardware to make a distinction that binds it to a certain user. Through a series of identifiers, researchers are discovering that they are able to track individual users, as well as their online activity, simply by implementing this new technique.
The team spans several countries and universities, including researchers from Israel, France and Australia, who published their findings online in an article on Arxiv.org. They presented examples of the GPU fingerprinting technique, which relies on the fact that no component is exactly the same, even though they are all part of the same model and were made by the same manufacturer.
Using WebGL, DrawnApart targets GPU shaders with a special sequence of graphics operations designed specifically for this task. Drawing operations are ultra-precise and allow researchers to more easily differentiate between graphics cards, including cards of the same make and model.
Once the task is complete, the technique produces an accurate trace with timing metrics that include the time it takes for the card to handle stall functions, full vertex renders, and more. As the timing is individual to each GPU, this makes the unit traceable.
The research team finds that this technique provides a high degree of accuracy and is an improvement over existing tracking methods. The algorithm was tested on a large sample of over 2,500 unique devices and 371,000 fingerprints, and researchers noted a 67% improvement over using only current fingerprinting methods without DrawnApart. In its current state, DrawnApart can fingerprint a graphics card in just eight seconds.
Eight seconds is lightning fast, but there is potential for even more accurate and faster tracking through the use of newer and faster APIs. The team tested computational shader operations instead and found that results were now up to 98% accurate and took just 150 milliseconds to achieve.
Although the results are impressive, there is no denying that they are also terrifying. We’ve all gotten used to refusing cookies on various websites, but DrawnApart proves that this may soon not be enough. The research team is also acutely aware of the potential for misuse of GPU fingerprinting.
“This is a substantial improvement in stateless tracking, achieved through the use of our new fingerprinting method. […] We believe this raises practical concerns about the privacy of users subject to fingerprinting,” the researchers said in their paper.
Since the GPU fingerprinting technique may not require additional permissions, users could be subject to it by simply browsing the internet. Khronos, the organization in charge of the WebGL library, is already exploring ways to prevent malicious use of the technique.