Your device's GPU may be used for fingerprinting purposes

Martin Brinkmann
Jan 31, 2022
Security
|
40

Researchers from universities in Israel, Australia and France have discovered a device identification technique that is based entirely on GPU fingerprinting.

gpu fingerprinting

Fingerprinting in the computing world refers to the identification of devices or users. It may be used individually or in combination with other tracking techniques.

Fingerprint attempts may use one or multiple factors retrieved from a user's device to track users online. At least some data is revealed automatically when users connect to websites using modern web browsers, others may be retrieved using scripts that run on the website itself.

ADVERTISEMENT

Connecting to sites may reveal information about the operating system, screen size or language that is used on the device. Some of these factors may change, e.g. the size of the browser window, while others may not.

Some web browsers, e.g., Firefox or Brave, include anti-fingerprinting options, but these address only common forms and not all methods that can be used potentially for that purpose.

The GPU fingerprinting technique that the researchers discovered relies solely on the graphics processing unit. The technique may be used to extend the tracking time of other fingerprinting methods by up to 67% according to the research paper.

To put this into perspective: the average tracking time according to the researchers is between 17 to 18 days. The GPU fingerprinting method that the researchers discovered extends this to a period between 25.5 and 30 days; a significant increase.

The researchers ran experiments on 2500 unique devices using the technique. They developed two methods, both of which use the Web Graphics Library (WebGL), which is supported by all modern web browsers.

The researchers describe how the technique, which they call DRAWNAPART, works in the research paper:

By fingerprinting the GPU stack, DRAWNAPART can tell apart devices with nominally identical configurations, both in the lab and in the wild. In a nutshell, to create a fingerprint, DRAWNAPART generates a sequence of rendering tasks, each targeting different EUs. It times each rendering task, creating a fingerprint trace. This trace is transformed by a deep learning network into an embedding vector that describes it succinctly and points the
adversary towards the specific device that generated it.

[..] by using short GLSL programs executed by the GPU as part of the vertex shader (cf.  section II-B). We rely on the mostly predictable job allocation in the WebGL software stack to target specific EUs. We observe that, when allocating a parallel set of vertex shader tasks, the WebGL stack tends to assign the tasks to different EUs in a non-randomized fashion. This allows us to issue multiple commands that target the same EUs.

Finally, instead of measuring specific tasks, we ensure that the execution time of the targeted EU dominates the execution time of the whole pipeline. We do so by assigning the non-targeted EUs a vertex shading program that is quick to complete, while assigning the targeted EUs tasks whose execution time is highly sensitive to the differences among individual EUs. A

Both onscreen and offscreen methods have been created to address different use cases. The onscreen method is faster but requires more resources, the offscreen method takes longer to deliver results but it is more resource friendly.

The researchers note that countermeasures may block the successful creation of fingerprints using the method. Tor Browser, with its "minimum capability mode" blocks the use of an API that the attack relies on by default. WebGL may also be disabled in other browsers to prevent the attack, but at the cost of potential usability or accessibility issues.  Script blocking can be effective, but only if scripts are blocked by default and allowed manually by the user.

Check out a study on the effectiveness of anti-fingerprinting measures here.

You can check out the full research paper linked above for additional details.

Now You: do you use anti-fingerprinting protections? (via Bleeping Computer)

Summary
Your device's GPU may be used for fingerprinting purposes
Article Name
Your device's GPU may be used for fingerprinting purposes
Description
Researchers from universities in Israel, Australia and France have discovered a device identification technique that is based entirely on GPU fingerprinting.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Akina said on January 31, 2022 at 3:10 pm
    Reply

    I’m using CanvasBlocker mainly for container tabs functionality and anti-fingerprinting is bonus.

    1. Tom Hawack said on January 31, 2022 at 3:22 pm
      Reply

      Yeah, maybe I should re-install CanvasBlocker, I removed it when I had the feeling it slowed down surfing…. feeling only, other parameters may have been the culprit. I’ll think about it.

    2. Frankel said on February 1, 2022 at 11:36 am
      Reply

      Firefox
      about:config
      webgl.min_capability_mode
      true

      Bye bye tracking ****bags! Greetings from TOR dev. Feels good being on Firefox.

  2. Tom Hawack said on January 31, 2022 at 3:18 pm
    Reply

    Here with Firefox (96.0.1) I certainly should disable WebGL, but doing so may disturb/break some websites.

    // disable/limit WebGL (Web Graphics Library)
    // When disabled, will break some websites. NOTE : Google Maps ‘Globe View’ requires WebGL
    // When enabled, provides high entropy.
    pref(“webgl.disabled”, true); // DEFAULT=false — Set to false here

    // limit WebGL
    pref(“webgl.min_capability_mode”, true); // DEFAULT=false — Set to false here

    You know what? I’m on the slippery path of letting down my guard when it comes to engaging in counter-tracking measures with side effects given I relativize the effectiveness of one component lost within the myriad of fingerprinting and tracking methods, calamity of the Web.

    I’m keeping WebGL just for the sake of Google Maps ‘Globe View’. Now that I think about it I wonder if I’m not stupider than I thought. I might create a toolbar button to switch WebGL on/off, like I’ve done for WebAssembly (only very few sites need it). I may also test Google Maps ‘Globe View’ with WebGL enabled (required) but “webgl.min_capability_mode” set to true… but as I said : always yes for security, most often yes for privacy given there’s no substantial side-effect. Lousy pragmatism.

    Another Ghacks contribution to lucidity via information.

    1. TelV said on January 31, 2022 at 7:43 pm
      Reply

      There are alternative map sites Tom. Using Google is just asking for trouble. https://whotracks.me/trackers.html

      1. Tom Hawack said on February 1, 2022 at 10:42 am
        Reply

        TelV, there are alternative map sites, for sure. Personally I’m fond of maps, mapping. I use OpenStreetMap in priority, also wego.here.maps, Qwant maps (to remain faithful to me European status) and Geoportail (because i’m in France). I also use the ‘OpenSwitchMaps’ extension to shift from one to another for a given localization.

        I dislike banning as a principle and when it comes to Google, believe me, it’s authorized a strict minimum : google.com is cookie-blocked (*.google.com that is) and if/when I use it it’s only for images and maps, and when it comes to maps I must say that I find nowhere else, 1- Street View (at least as well built), 2- satellite view (alternatives exist) and more specifically the ‘Globe View’ I mentioned above : satellite view is by default in 2D, the ‘Globe View’ is in 3D (like Google Earth) allowing tilting and “true” 3D ; no one but Google Maps offers that.

        To come back to WebGL and Google Maps : with WebGL disabled I can use Google Maps, Google Maps / satellite, but not Google maps / satellite / Globe View, which requires and WebGL enabled AND “webgl.min_capability_mode” = false …

        From there on, I can either add a userChromeJS toolbar button I’d craft to toggle WebGL when required by a site (setting it ‘off’ by default) as I’ve done it for WebAssembly, either re-install the CanvasBlocker extension mentioned above by user Akina. CanvasBlocker includes tightening of WebGL. I’ve chosen the second solution, doesn’t seem to slow down the browser, even in its ‘Maximum protection’ mode; I had had that feeling previously, another example of why “feelings” blind when a rational experience reveals.

      2. owl said on February 1, 2022 at 12:18 pm
        Reply

        When it comes to “maps”, I always test Google’s alternative services over and over again, but unfortunately they are not far from the accuracy of Google Maps and Google Earth Pro.
        Google’s maps allow you to see your destination in detail, no matter how “remote and out-of-the-way” it is, and show it accurately (without error) with pinpoint accuracy. It also keeps up with changes in the environment due to land development and other factors. And even the general condition of the surrounding environment, such as landmarks, hills, fields, mountains, and forests, is clearly and accurately displayed.
        Sadly, with Windows, I have to rely on Google.

        As far as I know, the only practical Google-equivalent options are Zenrin Map (Japan only) and Apple map app.

  3. Carlos said on January 31, 2022 at 3:41 pm
    Reply

    about:config > webgl.disabled > true

  4. Neutrino said on January 31, 2022 at 4:09 pm
    Reply

    Paranoia and fearmongering is what people need to ‘disable’.

    1. ZeN said on January 31, 2022 at 4:54 pm
      Reply

      :)

      Maybe many have data that needs military grade protection procedures?
      Fair enough, if it’s worth protecting, otherwise it’s just chasing your tail.

      The world of networked computing is full of holes and subversive methods.
      Always was always will be.

      Take a breath world, there’s enough fear & paranoia floating around for everyone.

      1. Tom Hawack said on January 31, 2022 at 5:39 pm
        Reply

        “Just because you’re paranoid doesn’t mean they aren’t out to get you.” — Woody Allen

        Paranoia is imaginative, awareness is factual. Facts. What is described in this article is not the resume of a psy session, it’s facts. What must be avoided, right between paranoia and awareness, is over-reacting. Like in a fist-fight, some get all excited then you have this calm big-head which enters the place and calmly fixes the problem. Point is with trackers as your opponent it’ll never be a KO, you can just try to narrow the score difference.

      2. ZeN said on January 31, 2022 at 5:48 pm
        Reply

        I get what you’re saying, completely, but believe me when I say this;
        life is waaay too short for over protective measures.

      3. Crazy Dude said on January 31, 2022 at 7:09 pm
        Reply

        Could you please give me your full name, the name of the city in which you were born, your mother’s maiden name and the name of your pet?

        You have nothing to hide, right?

      4. Neutrino said on February 1, 2022 at 7:46 am
        Reply

        “Could you please give me your full name, the name of the city in which you were born, your mother’s maiden name and the name of your pet?

        You have nothing to hide, right?”

        Give me an email or something else where I can send ’em to you.

      5. ZeN said on February 1, 2022 at 11:55 am
        Reply

        I store no details on (these nefarious evil tracking devices) my computer.
        You want my info then learn to be a 1337-haxor dude

      6. O Canandia said on February 1, 2022 at 1:42 am
        Reply

        @ZeN

        life is waaay too short to spend years in jail, because you didn’t take highly protective measures.

        But if you have nothing to hide, then you have nothing to worry about, right?

        Or are you just one of those types of people who drive around drunk and sing “don’t worry, be happy!”?

        Point being, one size does not fit all, and we are not you.

      7. ZeN said on February 1, 2022 at 11:50 am
        Reply

        Relax troll, I’m Zen not crazy

      8. ganky said on February 3, 2022 at 8:01 pm
        Reply

        @ZeN

        You might not be crazy, but you have shown to be out of touch with the needs of others, and you ignored the “point” that “O Canandia” made and called her/him a troll.

        Relax? ha..

        Well, whatever you are, your words mirror the persona of a sociopath.

        But no matter, as your real problems are far worse than you think.

      9. ZeN said on February 4, 2022 at 9:49 am
        Reply

        “Well, whatever you are, your words mirror the persona of a sociopath.

        But no matter, as your real problems are far worse than you think.”

        Ha – you’re trolling too.

        What kind of statements are those two sentences?
        You have shown to be out of touch with speculative insults.

      10. beavis said on February 27, 2022 at 10:28 pm
        Reply

        ZeN

        > Paranoia and fearmongering is what people need to ‘disable’.

        Perhaps what people need to disable is narrow-minded advice from ignorant posers.

        Personally, I don’t claim people ‘need’ to do anything, as that’s a game for dictators and sociopaths.

        > Relax troll

        That was clearly an insult, with nothing speculative about it. For you to say “ganky” was out of touch, is simply more evidence of your problem.

        > What kind of statements are those two sentences?

        Why ask that? Are you a chatbot?

  5. common sense computing said on January 31, 2022 at 7:28 pm
    Reply

    Fingerprinting is a problem and will only get worse as 3rd party cookie controls tighten. Google doesn’t mind hurting 3rd party trackers to promote their own Topics tracking.

    Check EFF’s Cover Your Tracks page to test your browser.

    1. Anonymous said on February 1, 2022 at 1:04 am
      Reply

      Our tests indicate that you have strong protection against Web tracking, though your software isn’t checking for Do Not Track policies.

      Blocking tracking ads? Yes
      Blocking invisible trackers? Yes
      Protecting you from fingerprinting? Your browser has a unique fingerprint

      Your browser fingerprint appears to be unique among the 224,173 tested in the past 45 days.
      Currently, we estimate that your browser has a fingerprint that conveys at least 17.77 bits of identifying information.

  6. TelV said on January 31, 2022 at 7:48 pm
    Reply
  7. ULBoom said on January 31, 2022 at 8:10 pm
    Reply

    Read the paper.

    One of a bazillion ways to track users. These “Look what we found” things appear regularly; the authors say so and cite many of them.

    Like OS’s and browsers don’t have advertising ID’s that very few users know exist and even fewer disable? The list of potential identifiers is very long, none of which matter for most users, since they don’t care.

    Try the minimal mode for WebGL if you use FF; turning it off will mangle lots of sites.

  8. Yash said on January 31, 2022 at 8:12 pm
    Reply

    In my main profile on Firefox used for surfing, most if not all prefs are according to Arkenfox so no problem. On the odd occasion where web compatibility is an issue I have a backup profile for those purposes in which no prefs are touched. Thankfully in Firefox I can switch DRM, Telemetry, ETP, safebrowsing, and now site isolation in the form of dFPI without any pref through main settings.

    Side note to those who maybe don’t want full Arkenfox experience but still want some protections, Flip two prefs – privacy.resistfingerprinting.enabled and webgl.enabled. That’s it – enjoy better protections against tracking.

  9. notanon said on February 1, 2022 at 12:36 am
    Reply

    TLDR – If you have Firefox, disable WebGL in about:config.

    [email protected]$ BTFO (and yes, [email protected], that includes Brave, the * [Editor: removed, stay polite] browser).

    1. Iron Heart said on February 1, 2022 at 10:51 am
      Reply

      @notanon

      What are you even talking about, Brave randomizes WebGL when set to “Standard” and turns it off entirely when set to “Aggressive”, you don’t need Firefox to turn WebGL off (LOL).

      > [email protected]

      This is highly offensive, if I wrote that the mod hypocritically wouldn’t even let my post appear. I guess you are lucky that the rules do not apply to everyone in the same way.

      1. read the docs said on February 1, 2022 at 11:09 am
        Reply

        read the docs – brave doesn’t randomize timing which is what the fingerprint is leveraging

  10. SteveS. said on February 1, 2022 at 12:53 am
    Reply

    I’ve had WebGL disabled for several years. I’ve lived long enough – going back to when the internet didn’t have any advertising on it and little if any surveillance – to know what is really necessary for me to live a pleasant and productive life. Whatever I really need from the internet I get just fine – and leave the rest.

    I’ll continue to protect my privacy and security as I can – even as it gets worse. Makes no sense to give in if I have the technical knowledge and skill to block holes as they arise. An analogy: Although a determined burglar can break even some of the best door locks, that doesn’t mean I should leave my doors open and unlocked all the time.

    1. Wang Chung said on February 1, 2022 at 2:54 am
      Reply

      @SteveS.

      > ..internet didn’t have any advertising on it and little if any surveillance

      Not true. The Internet (before the web) had much advertising. Most all BBS services has ads for porn, computer stuff, services, all kinds of stuff. Dell computer started by advertising on university forums. Logging by BBS services and Universities was a thing back then too. Student had to log on with their credentials, and regular users paid for access, and everyone used wired phones modems, which were easy to track. Most all users where tracked, as many paid for access per hour with data caps. Also, even savvy hackers who jumped around several proxies still got busted by the FBI back then. Also, some of the biggest media pirate busts happened before the web, with users being arrested and computers confiscated. There was no public Wi-Fi for hackers to hide behind.

      As for knowledge about security and privacy, that doesn’t matter much if you have important things to protect, because if they want it, they can likely get it. Hence, it all comes down to being able to have a real risk analysis that fits your specific situation, and as need be, a contingency plan if things go bad for you, such as something a lawyer could help you with.

      Also, you say “even as it gets worse…Makes no sense to give in” and thus I take it you have no end-game exit plan, other than to keep doing the same. Hmm, that makes no sense to me. It’s prudent to know how much risk you’re willing to face before opting out of such risk.

      For me, I faced that too-high-of-a-risk level years ago, concluding that the web is broke, it’s getting worse, and the good guys in security have lost.

      Personally, I’m doing all I can to keep my assets away from the web, which includes banking. I have contingency plans to deal with any foreseeable problems I can’t control, as with identity theft. To sum it up, the risk of depending a lot on the web is too high for me.

      That said, right before covid hit, a friend of mine lost a house he left empty for a month to some so-called squatters, who came from next door, broke in, changed the locks, sold everything inside including a motorcycle and his tools, and then rented it out. Thanks to the web, they did some identity fraud, via documents they found in the house, and cleaned out a bank account. No one has been arrested, and they are still in that house, with a fake lease. The police said they can’t do anything, as it has to go through the court system. My friend had no idea this could happen to him, and now he spends money on a lawyer. Ha. I had warned him, but he ignored me, as he is an optimistic idiot.

      1. owl said on February 1, 2022 at 9:04 am
        Reply

        @Wang Chung,
        > Not true. The Internet (before the web) had much advertising.

        I’m not @SteveS himself,
        but @Wang Chung seems to be unfamiliar with the realities of the “ghacks.net community”. The community is global and subscribed to by men and women of all ages. In short, there is a huge difference between your “generation” and his.
        He is probably referring to the New Media (INS: Information Network System) of the 1980s, and he said he has gained Internet experience that “can be appropriately controlled by one’s outlook on life, experience, and skills”.

        Not everyone’s environment is identical to yours. However, your comment is worthwhile.

      2. owl said on February 1, 2022 at 9:15 am
        Reply

        About the “BBS services” mentioned by @Wang Chung:
        Bulletin board system
        https://en.wikipedia.org/wiki/Bulletin_board_system

      3. Chung Wang said on February 3, 2022 at 9:30 pm
        Reply

        @owl

        I’m all too familiar with the so-called realities of the ghacks.net community, and all the helpful things (mixed with BS) that comes with it.

        I’ve been with ghacks back when it was about Google hacks.

        > there is a huge difference between your “generation” and his.

        Even if that was true, it does not matter, as the facts are still facts, and I’ve been there for all of it.

        With the overall history of the Internet before the WWW, there was much advertising and tracking, even before the mid ’90s when commercial advertising got huge.

        Look, when the big wave of advertising first came in, many folks on the Internet got mad, saying things like “the Internet should be free of corporations and adverting!”.. But such statements were hyperbole, as adverting and corporations were already there. For example, thanks to advertising, I was well aware of Stewart Brand’s commercial ventures back then. That said, people look back and think that hyperbole was all true, but those are at best false memories, of a so-called “better time”.

        > Not everyone’s environment is identical to yours.

        Even if that was true, how does that matter here? My focus has been on the truth of what is for all, which is our environment, then and now.

        THAT ALL SAID.. thanks for trying to help, but I now see that I misinterpreted his main point, which was that he will continue to use privacy and security, which I agree with being a good idea. I thought he said something different, but no matter, as my profundity remains, for I am a super-genius.

  11. Anonymous said on February 1, 2022 at 1:52 am
    Reply

    “Firefox’s days are numbered!!”

    You mean Chrome’s days are numbered.

  12. Tachy said on February 1, 2022 at 1:56 am
    Reply

    I’ll say it again, it’s not the tracking the bothers me.

    It’s that other people make profit from what is essentially my data, and I don’t get any of it.

    That pisses me off.

    1. essentially not said on February 1, 2022 at 3:24 am
      Reply

      @Tachy

      How is it your data? If it was your data, then how did you let it get away from you? Perhaps you gave away your data, and now you want it back? If so, that problem is on you. Seems silly to complain about it now, even if you were ignorant about how most “free” services on the web work. I say bravo to anyone who could make some money from mostly useless data. And that’s the biggest scam of all, as there are suckers who buy such data thinking it’s useful, when most of it is not. Most folks are clueless to how this data is traded around. It’s not too different than Bitcoin, where due to pure hype, something that is intrinsically worthless is magically worth something.

  13. Anonymous said on February 1, 2022 at 2:06 am
    Reply

    Use multiple browsers and multiple devices.

    1. Secure browser with minimal functionality when you don’t want to be tracked, censored, or risk loss of data. (Tor, or tweaked Firefox, optionally in a VM or removable drive.)

    2. General browser for compatibility. (Firefox, or Brave, + optional VPN)

    3. Work browser with crypto wallet, financial, and other accounts where you must be identified and having your IP tracked might be required. (Firefox, or Brave)

    4. Use a phone for trash social media and apps. Keep these apps off your desktop. Don’t link your phone to your desktop, don’t link your desktop accounts to Apple, Google, or Microsoft EVER! (optional VPN)

    5. Never use Chrome, or Edge.

    1. Ernest said on February 3, 2022 at 10:01 pm
      Reply

      @Anonymous

      But why?

      I’ve been all in with most everything Google and Amazon for over 20 years now. I’ve had zero issues; all good.

      I just don’t expose anything I’m not willing to expose.

      I guess people like me don’t comment here, as we have better things to do?

  14. Yuliya said on February 1, 2022 at 9:38 pm
    Reply

    >can tell apart devices with nominally identical configurations
    Well, it also means the fingerprint highly varies due to many factors. Such as the graphics API, and its version. Not only that, but also the GPU driver. We’ve seen this in the past where they could fingerprint the user based on how the ClearType renders the font. The problem is,as I said it then, the same machine, running the same OS, the same browser, the same version, and the same updates, will have different font rendering if you just use a different GPU driver version. It may not, but it may also be the case.

    I wouldn’t sweat too much about this. GPUs behave eratically, so really if you want to waste so much evergy into tracking me using this technique… be my guest. There are so many variables, this fingerprint will inevitably change within days on a modern machine which is constantly having its software updated.

  15. NeonRobot said on February 2, 2022 at 6:37 am
    Reply

    Don’t use chrome, disable webgl.
    Problem fixed.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.