GPU fingerprints might be a privacy concern in the future

Published: Feb 1st 2022, 09:47 GMT   Comments

GPUs and online user tracking

In a research paper titled “DRAWNAPART: A Device Identification Technique based on Remote GPU Fingerprinting”, researchers have presented a method of identifying users based on browser fingerprints generated by GPUs. 

These days users can be tracked by cookies, browser user-agents, network IPs, mouse movements, and other techniques. User identification is required to prevent bot network attacks but also to track users and record their preferences to serve more accurate advertisement. Where law applies, publishers are required to take consent from users, however, there are plenty of malicious organizations who will ignore such requests from users and they constantly come up with new ways for tracking.

Researchers have now confirmed that there is a new high accuracy method of identifying users: GPU fingerprints. Their technique has been tested in large-scale experiments that involved 2500 devices and have seen 67% quicker tracking than other known methods. The current method relying on WebGL 2.0 APU requires at least 8 seconds to fingerprint the GPU, but there are already new web APIs that will limit this time to 150ms and increase accuracy up to 98%.

DRAWNAPART: A Device Identification Technique based on Remote GPU Fingerprinting, Source: ARXIV

This fingerprint method relies on hardware identification, specifically GPUs. They exploit the possibility of measuring a vector containing various calculations that can later be used to verify the user.  Researchers have even confirmed that removing and replacing some components will not affect the ‘classifier’ which is used to track the user.

To reinforce our claim that the classification results are due to differences in the behavior of the GPUs, and not due to some residual differences among the computers, we selected two GEN 3 computers, physically swapped their hard drives, and re-ran the fingerprinting classifier. As expected, the fingerprinting classifier was not misled by the hard disk transplant, and was still able to label each of the two computers according to their CPU. Next, we returned the hard drives to their original locations, and physically swapped the CPUs with integrated graphics of the two systems. As expected, the classifier followed the transplanted CPU, even though all other hardware was unmodified.

— Research Paper

This fingerprint method requires WebGL 2.0 API which is no longer actively supported as it has been succeeded by WebGPU, however, despite the latter being under active development there is no stable edition being supported by any browser. WebGL 2.0 is still used by some popular sites such as Google Maps or IKEA.

GPU Fingerprint, Source: ARXIV

The research concludes that there are ways to prevent GPU fingerprints. In fact, the WebGL standard is required by only 1% of the top 10K websites ranked by Alexa, suggesting that this API could be disabled by browsers by default. The fingerprint creation would also be severely limited by introducing parallel execution, but this could have a big impact on WebGL API performance.

Khronos, the nonprofit organization responsible for WebGL is already looking into possible mitigation that would prevent this fingerprinting method.

Source: ARXIV (PDF) via Bleeping Computer, Tom’s Hardware

Comment Policy
  1. Comments must be written in English and should not exceed 1000 characters.
  2. Comments deemed to be spam or solely promotional in nature will be deleted. Including a link to relevant content is permitted, but comments should be relevant to the post topic. Discussions about politics are not allowed on this website.
  3. Comments and usernames containing language or concepts that could be deemed offensive will be deleted.
  4. Comments complaining about the post subject or its source will be removed.
  5. A failure to comply with these rules will result in a warning and, in extreme cases, a ban. In addition, please note that comments that attack or harass an individual directly will result in a ban without warning.
  6. VideoCardz has never been sponsored by AMD, Intel, or NVIDIA. Users claiming otherwise will be banned.
  7. VideoCardz Moderating Team reserves the right to edit or delete any comments submitted to the site without notice.
  8. If you have any questions about the commenting policy, please let us know through the Contact Page.
Hide Comment Policy