GPUs Can Be Exploited for Privacy-Invasive Browser Fingerprinting

pcmag.com:

We rely on computer graphics chips to render games, video, and images. But the same GPU can also be abused to potentially track browser activity on the web, according to new research.  

In a new paper, a team of academics at Israel's Ben-Gurion University and France's University of Lille examine how a computer’s GPU can upgrade “browser fingerprinting,” a technique the ad industry already uses to discern which sites your computer is visiting. 

Fingerprinting exploits how today’s browser can expose plenty of minor details about your computer to a website, such as the software version, screen resolution, fonts, time zone, and IP address. Since not every computer has the same settings, the ad industry can take these details to fingerprint your PC and track your browser as it moves from one site to another. 

However, the accuracy of a fingerprint will degrade over time as the computer receives new software versions, visits the internet via different IP addresses, or changes system settings. This led the team of academics to wonder if the ad industry could pull data from a computer’s hardware to improve the fingerprint’s longevity. 

The research effort resulted in “DrawnApart,” a way to fingerprint a user’s computer by measuring the minute differences across a GPU’s execution units. (BleepingComputer was first to report on the research paper.)

“In a nutshell, to create a fingerprint, DrawnApart generates a sequence of rendering tasks, each targeting different EUs. It times each rendering task, creating a fingerprint trace,” the paper's authors wrote. 

Essentially, DrawnApart can generate a benchmark score for your computer’s GPU to supplement the existing fingerprint. The GPU benchmark can also be used to fingerprint