Google Developers Create API For Direct USB Access Via Web Pages

An anonymous reader writes: Two Google developers have uploaded an unofficial (for now) draft to the World Wide Web Consortium's Web Incubator Community Group (W3C WICG) that describes a method of interconnecting USB-capable devices to Web pages. The API, called WebUSB, allows device manufacturers to provide special "registry and landing pages" where they can host JavaScript SDKs for their USB-capable devices. Site owners can load these SDKs as iframes inside their websites, and allow a site to access and relay commands (via the iframe to the browser's WebUSB API) to the actual device. To protect privacy and security, the WebUSB API also comes with a CORS-like system that prompts users for access to their devices to avoid abuse and Web-based fingerprinting. The system is also backward compatible with devices created before the standard's approval (if it gets approved).

It's a reminder about the dangers of the IoT.

It's a reminder to us all about how invasive the IoT is and will be. It reminds us that even the most mundane activities, the ones we do even without really thinking about doing, will be monitored by IoT devices. This information will be collected and sent to various corporations for them to analyze and mine as they see fit.

It isn't mundane activities that will be tracked, either. Activities that one wishes to remain private will be tracked, too. Even urination and defecation won't be spared from the invasive reach of IoT.

Web browsers have no legitimate reason to ever access USB devices. It's bad enough that they already support accessing microphones and webcams. But arbitrary USB devices? There really is no reason for that!

Web browsers accessing arbitrary USB devices is just another step in the IoT being used to watch and data mine your most private and intimate moments.

Re:We all know this is unwise.

[Progman3K]

On linux, Google Chrome requires you to enable the ability in your kernel that permits arbitrary processes to read the memory of other processes.

Originally intended for debuggers, apparently Google's web-browser won't run unless it can spy on any process in the system.

Nice work Google. Change your motto to "Do evil", please

I read the spec. USB device controls (cookies)

[raymorris]

I just read the spec. It might be more accurate to say this API allows USB devices to offer data of their choosing to whitelisted web scripts. The USB device decides what data it gives to whom; web sites can't do anything with random USB devices that don't explicitly offer web endpoints. At the end of the day, it actually doesn't effect security in a fundamental way at all - USB devices can ALREADY send arbitrary data to web pages, just in an ad-hoc way rather than a well-defined , standardized way.

In a way, it's a lot like first- party cookies , with the data on the usb device rather than on the hard drive.

The USB device defines:
https://login.ebay.com/ may ask me for "username".

No other web site can get anything from the USB device, and the whitelisted URL can only request the specified data item.

Security considerations are of course important. At the same time, JavaScript can ALREADY read your most important USB devices - it can see your keyboard presses and mouse movements. If a USB device wants to send data to a web page, it can already declare itself to be a keyboard and start sending keypresses. (Credit card readers have done exactly this for decades, pretending to be keyboards .) This API defines a standardized way for the USB device to send data in a more secure way than by pretending to be a keyboard.

Yes, one should consider security. With this, primary the security of the USB device- it's one other way for a malicious USB device to do bad things. But USB devices can ALREADY pretend to be a keyboard, use a hotkey sequence to fire up cmd.exe, and run any commands they want. Malicious USB devices are really bad with or without this new API, so the API doesn't increase risk by much.