We have seen everything in recent years to promote a simple act which at the same time and depending on which situation could be criminal: the monitoring and tracking of users or PCs. Finally, like it’s science fiction and in true Mission Impossible A style, a group of researchers have found a method to use your PC’s GPU or iGPU and turn it into a unique fingerprint that would leave a specific trace on the Internet, so that they can know what you do, when you do it and how you do it, whatever its activity. It’s like that Drawn separately.
No less than 2,550 devices with 1,605 different CPU configurations (along with their corresponding iGPUs) left frightening data in terms of tracking and security. A technique developed by a team of researchers from French, Australian and Israeli universities that allows you to monitor your PC with an improved average duration of 67%.
DrawnApart: This is how your PC creates a fingerprint with the GPU
When you enter a website, you must ignore a floating or fixed notice about the famous cookies, where we must give our consent (or not) to be able to access said website or see part of the content. Everyone handles it differently, but you always have to ask for permission, although it’s really just a legal cover that leaves a lot of leeway to the most rogue.
A website might even collect your time zone or operating system version, not to mention language and a thousand other things, but once you leave said website, the tracking ends, at least in theory.
What if you didn’t need to access a website to be able to track a PC? That would definitely be a problem, but what if it also did it faster and better than traditional systems where you can’t escape tracking when you’re on the internet? Which is very scary.
Well, research from these three universities has focused on these margins and the result is the creation of a distinctive fingerprint based on what your iGPU or GPU does and how it does it, always on the internet.
WebGL is the key, real threat or just a test?
The system is tracked by the GPU thanks to WebGL, an Internet graphics library that all browsers have, so it is impossible to escape the registry if we are looking for something in the cloud. Drawn separately use this to use GLSL Programs executed by the graphics card and based on the calculations it has to do, a workload model is generated that is predictable and standardized for a specific PC, being more specific for a specific GPU.
Two work modes determine the footprint of the graphics card: non-intensive and brief versus a more relaxed and elongated in time. With this they generate 176 measurements taken from 16 points, which yields a model (like the one shown below) where at first glance and considering that they are the same graph model, they offer different and unique results.
Also the models are not affected by restarts, tabs in the browser or different changes, the tracking will continue no matter what and thanks to the use of the GPU and not the CPU as such, it extends from 17.5 days to 28 days, which allows us to extract so much information and patterns that make our GPU unique, being able to follow it anywhere on the Internet without doubting who it is.
But if that doesn’t sound alarming, with WebGL 2.0 (now obsolete) DrawnApart was found to achieve 98% GPU evaluation accuracy in just 150ms, i.e. in less time than it takes to flash, they already know where is our graphics card and with it our PC throughout the Internet .
The investigation is already in the hands of the Khronos group, developers of WebGL, because even if we change PCs, change components or software, the graphics card will be followed almost immediately. In short, an attacker with DrawnApart would have a complete trace without anything being done, at least until the API is changed.
