Teacher
Professional
- Messages
- 2,669
- Reaction score
- 819
- Points
- 113
Researchers have demonstrated a new attack vector that threatens users of several popular browsers and video cards. The method is based on the use of WebGPU.
The new cyber threat is considered in a report by experts from the Graz University of Technology in Austria and the University of Rennes in France.
It is noted that during the study, experts "felt" the ubiquitous WebGPU API, which allows web developers to use the GPU for high-performance computing in the browser.
Using this API, experts were able to reproduce the attack that works completely in a browser with JavaScript enabled. The new approach simplifies remote cyberattacks.
According to the researchers, they were able to identify one of the first attack vectors via third-party channels of the GPU cache from the browser itself. For exploitation, it is enough to lure the user to a special site where malicious WebGPU code is placed.
There is also a caveat: a potential victim must be kept on the resource for several minutes while the exploit is running. To do this, the user can slip an article, reading which the user will just last the necessary time.
The detected vector can be used to extract sensitive information, including passwords, because it allows you to use the timing of keystrokes. In addition, the method allows the theft of AES encryption keys based on the GPU, which just takes a few minutes.
All compromised data can be transmitted at up to 10 Kbit/s.
The researchers warned representatives of Mozilla, AMD, NVIDIA and Chromium about the problem, after which NVIDIA even issued an official notification.
A demo exploit can be found at this link: https://ginerlukas.com/gpuattacks/
• Source: https://ginerlukas.com/publications/papers/WebGPUAttacks.pdf
The new cyber threat is considered in a report by experts from the Graz University of Technology in Austria and the University of Rennes in France.
It is noted that during the study, experts "felt" the ubiquitous WebGPU API, which allows web developers to use the GPU for high-performance computing in the browser.
Using this API, experts were able to reproduce the attack that works completely in a browser with JavaScript enabled. The new approach simplifies remote cyberattacks.
According to the researchers, they were able to identify one of the first attack vectors via third-party channels of the GPU cache from the browser itself. For exploitation, it is enough to lure the user to a special site where malicious WebGPU code is placed.
There is also a caveat: a potential victim must be kept on the resource for several minutes while the exploit is running. To do this, the user can slip an article, reading which the user will just last the necessary time.
The detected vector can be used to extract sensitive information, including passwords, because it allows you to use the timing of keystrokes. In addition, the method allows the theft of AES encryption keys based on the GPU, which just takes a few minutes.
All compromised data can be transmitted at up to 10 Kbit/s.
The researchers warned representatives of Mozilla, AMD, NVIDIA and Chromium about the problem, after which NVIDIA even issued an official notification.
A demo exploit can be found at this link: https://ginerlukas.com/gpuattacks/
• Source: https://ginerlukas.com/publications/papers/WebGPUAttacks.pdf
