Remote Detection of CPU Capabilities (CPUID) by any Web Server using JavaScript (JS)?

Unprivileged native apps running on a Whonix Workstation VM can obtain some host hw details. Example:

user@host:~$ grep 'model name' /proc/cpuinfo
model name	: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
model name	: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
user@host:~$

Oops. That’s the host CPU. And also shows that the VM can use only 2 cores.

This site also gives the same CPU info in host / WS (TorBrowser 11.5.1 SecLevel=std)

https://cpuid.apps.poly.nomial.co.uk/

Unfortunately so. This mentioned on Protocol Leak and Fingerprinting Protection‎ for years.

Two things…

  • A) Local detection (using /proc/cpuinfo or CPU)
  • B) Remote detection, possibly using JavaScript (JS).

Interesting link. Thanks!

I’ve tried this on two different notebooks with different CPU models and the website showed the same output. In conclusion, it seems the website does not detect anything useful.

This needs further research, testing. Added to wiki just now including instructions for testing:
https://www.whonix.org/wiki/Browser_Tests#cpuid_visualiser

This website might just be a decover, visualizer. It does not directly claim to be able to read CPUID from your local computer. Implies so on, the website states:

But…

sample cpuid data

Needs to be further investigated.


Two new wiki chapters added just now:

Now the CPUID is documented a bit better.

Got a reply of https://amiunique.org/ github Contributor saying, quote:

Unfortunately, it seems to me this is something that can only be done on the server side as it relies on an NPM module whch itself relies on LibCPUID. It does not seem possible to me to execute that in a browser as the browser does not have access to this information.

(AmIUnique in Whonix wiki)

related:

self.navigator.hardwareConcurrencyMDN
Returns the number of logical processors potentially available to the user agent.

The navigator.hardwareConcurrency attribute’s getter must return a number between 1 and the number of logical processors potentially available to the user agent. If this cannot be determined, the getter must return 1.

User agents should err toward exposing the number of logical processors available, using lower values only in cases where there are user-agent specific limits in place (such as a limitation on the number of workers that can be created) or when the user agent desires to limit fingerprinting possibilities.

https://darionco.github.io/WebCPU/

There are two very different cases that we need to distinguish here.

  • A) Finding out CPUID outside a browser with JavaScript. With JavaScript outside a browser with additional permissions, it might be possible to do this but that’s not the interesting part here.
  • B) Finding out CPUID inside a browser with JavaScript.

I am now certain that CPUID cannot be detected from within a browser using JavaScript. Reasons:

  • Many people asked about this generally (detecting hardware information using JavaScript) but nobody had a solution for this specifically.
  • That is why navigator.hardwareConcurrency (mentioned above) was invented.
  • There is no hosted web service that demonstrates this feature. At least a few of the many browser tests would implement this feature. Specifically I am sure, the popular Fingerprint.com would jump at the first opportunity to improve their service with CPUID if this was possible.

The wiki will be updated soonish.

updated / new wiki chapters:

new wiki chapter:

Related, not to be confused withProtected Processor Identification Number (PPIN):

A wiki page dedicated to CPUID was added a while ago to the Kicksecure wiki.