A group of researchers has discovered that there is a possibility that some attackers can use the fingerprints of a Graphics Card or GPU to use it as a tracker and thus be able to know everything you do on the internet. This seems to be a critical bug, although complicated to carry out, which aims to expose possible vulnerabilities in this type of hardware.
If you are interested in knowing more details about this topic, continue reading this research article.
A possibility of being tracked on the internet
The researchers, from countries such as Israel and Australia, have found a way to track a computer through the fingerprint of devices such as the users' graphics card or GPU.
This is part of the fingerprinting practice, known as web tracking, which is often done by various companies to monitor fraud and offer personalized advertising to their consumers; although it can also be used maliciously.
Before, only cookies were used for this type of thing, but due to certain regulations in some countries, companies have opted for digital fingerprinting in order to keep in mind a possibility to track their users anonymously. And it is that this type of practice does not work for long periods of time, which means that on some occasions it does not become as effective; however this changed with the researchers' discovery.
How does this fingerprint work on the GPU?
This type of trace works by collecting information on the time it takes for any device's graphics card to return some visual elements with WebGL; a graphics API that is built into most modern browsers. In this way, the manufacturing differences between each similar GPU can be known, through interaction with this API; then the researchers will feed the data into an algorithm that yields better information.
This data was tested on some tracking systems on approximately 2,500 devices with up to 1,600 different CPU configurations; getting the results they wanted with these parameters.
What allowed the possibility of tracking the fingerprint through the web without any type of restriction; a finding that was notified to the largest companies in the sector so that they are aware of its existence and latent danger.
Possible threat or a simple laboratory test?
As mentioned above, this tracking system was achieved thanks to WebGL. It does this in two ways: one non-intensive and the other short and elongated in time, in this way 176 measurements of 16 points can be generated, resulting in a unique pattern or footprint that can be tracked depending on the device. Although this was only done in a laboratory, there is a fear that people with malicious purposes could use it to steal information.
The tool itself is called DrawnApart, which proved to have an incredible accuracy of up to 98% in 150 ms, being able to know where the Graphics Card is on the internet at all times; which seems to be worrying if it really is so easy to use.
However, this seems to be a problem with the API that needs to be updated as soon as possible to avoid this bug that allows tracking steps on the web in just the blink of an eye.
How could this affect users?
Although it is not yet known with certainty how much can be done with this method, it is known that the location of the GPU and therefore of the PC on the Internet can be known at all times; knowing each page that is visited and from where it is done. Which seems to be sensitive enough information to pay attention to.
Although the researchers have not discussed in detail how it could affect ordinary users around the world.
They admit that it can mean a possible threat, but that this has already been notified to the related companies so that they can take charge; without revealing too much information that allows other attackers to take advantage of it and perfect it to even be able to steal credentials or sensitive data.
It only remains to be seen how this flaw in WebGL will affect people who use the internet on a daily basis and who own a GPU.
Exploit vulnerabilities to improve technology
Keep in mind that in the world of cybersecurity, finding vulnerabilities is something common that is done to improve software or hardware and shield it as much as possible from malicious attacks. In this way, digital catastrophes that could affect the whole world are avoided.
These types of laboratory tests show how efficient it is to find and resolve bugs that may affect end users.