Skip to main content

Researchers say your GPU could expose private info online

In an age of increased online privacy awareness, many of us are conscious of our digital fingerprints and prefer not to be tracked. However, it may not be as simple as it previously seemed.

An international team of researchers has found that users can be tracked down by their graphics cards. This is done through a new technique referred to as “GPU fingerprinting.”

An example of the GPU fingerprinting technique.
An example of the GPU fingerprinting technique showcasing two identical GPUs that still produce different results.

This new technology, named DrawnApart by the researchers and first reported by Bleeping Computer, relies on the tiny differences between each piece of hardware in order to make a distinction that ties it to a certain user. Through a series of identifiers, researchers find that they are able to track down individual users, as well as their online activity, just by implementing this new technique.

The team spans several countries and universities, including researchers from Israel, France, and Australia, who published their findings online in a paper on Arxiv.org. They showcased examples of the GPU fingerprinting technique, which relies on the fact that no components are exactly the same — even if they are all part of the same model and were made by the same manufacturer.

There are tiny differences in the performance, power consumption, and processing capabilities of every graphics card. DrawnApart takes advantage of that by using fixed workloads based on the Web Graphics Library (WebGL). This is a cross-platform JavaScript-based application programming interface (API) responsible for rendering graphics within any compatible web browser.

Using WebGL, DrawnApart targets the GPU’s shaders with a special sequence of graphic operations that were made specifically for this task. The drawing operations are ultra-precise and make it easier for the researchers to tell the graphics cards apart, and this includes cards of the same make and model.

Once the task is complete, the technique produces an accurate trace with timing measurements that includes how long it takes the card to handle stall functions, complete vertex renders, and more. As the timing is individual to each GPU, this results in making the unit trackable.

DrawnApart tracking duration diagram.
DrawnApart: Average tracking time by collection period graph.

The research team finds that this technique provides a high degree of accuracy and is an improvement over existing tracking methods. The algorithm was tested on a large sample of more than 2,500 unique devices and 371,000 fingerprints, and the researchers noted a 67% improvement compared to using only current fingerprinting methods without DrawnApart. In its current state, DrawnApart can fingerprint a graphics card in just eight seconds.

Eight seconds is ultrafast as it is, but there is potential for even more accurate and quicker tracking through the use of newer, faster APIs. The team tested using compute shader operations instead and found that the results were now up to 98% accurate and only took 150 milliseconds to achieve.

Although the findings are impressive, it’s impossible to deny that they’re also terrifying. We’ve all grown used to declining cookies on various websites, but DrawnApart proves that may soon not be enough. The research team is also keenly aware of the potential for misuse that the GPU fingerprint poses.

“This is a substantial improvement to stateless tracking, obtained through the use of our new fingerprinting method. […] We believe it raises practical concerns about the privacy of users being subjected to fingerprinting,” said the researchers in their paper.

As the GPU fingerprinting technique may not require additional permissions, users could be subjected to it by simply browsing the internet. Khronos, the organization in charge of the WebGL library, is already exploring ways in which to prevent the technique from being used maliciously.

Editors' Recommendations