Remote GPU Attack Prompts Risk of Browsers Giving Websites Access to Graphic Cards for Potential Crypto Mining Exploits

Researchers from Graz University of Technology in Austria and the University of Rennes in France have revealed a concerning vulnerability regarding graphics processing units (GPUs), which could potentially be exploited for cryptocurrency mining and other malicious activities. This newly discovered threat targets popular browsers and graphics cards.

The vulnerability centers around WebGPU, an API allowing web developers to tap into a computer's GPU for high-performance tasks directly within a web browser. Through clever manipulation of this API using JavaScript, the researchers have demonstrated a remote attack vector that operates entirely within the browser, eliminating the need for direct access to native GPU APIs.

This attack method represents one of the earliest instances of a GPU cache side-channel attack originating from a web browser. By enticing users to visit a malicious website hosting the exploit code, attackers can execute the exploit remotely, with no user interaction beyond merely staying on the site for a few minutes.

The implications of this vulnerability are significant. The attack can be leveraged for inter-keystroke timing attacks, potentially revealing sensitive information like passwords based on keystroke timing. Moreover, it enables the extraction of GPU-based AES encryption keys and establishes covert data exfiltration channels with moderate transmission rates.

The researchers emphasize the need for browser vendors to treat GPU access with the same caution as other security-sensitive resources. Lukas Giner, one of the researchers, highlights the risks posed by browsers granting websites unrestricted access to the host system's GPU, citing the potential for stealthy attacks or even covert cryptocurrency mining operations without the user's awareness.

The research targeted a range of desktop graphics cards from both AMD and NVIDIA, affecting browsers supporting WebGPU, including Chrome, Chromium, Edge, and Firefox Nightly. Despite notifications to Mozilla, AMD, NVIDIA, and Chromium developers, only AMD has issued a response, stating they do not believe the researchers have demonstrated an exploit against their products.

The researchers suggested implementing a permission pop-up akin to those for microphone or camera access to mitigate the risk. However, the Chromium team expressed reservations, citing the potential for adding user friction without commensurate security benefits.

This revelation underscores the critical need for proactive measures to secure GPU access within browsers, as failure to address this vulnerability could expose users to a range of malicious activities, from data theft to covert cryptocurrency mining.