Google Developers Create API For Direct USB Access Via Web Pages

An anonymous reader writes: Two Google developers have uploaded an unofficial (for now) draft to the World Wide Web Consortium's Web Incubator Community Group (W3C WICG) that describes a method of interconnecting USB-capable devices to Web pages. The API, called WebUSB, allows device manufacturers to provide special "registry and landing pages" where they can host JavaScript SDKs for their USB-capable devices. Site owners can load these SDKs as iframes inside their websites, and allow a site to access and relay commands (via the iframe to the browser's WebUSB API) to the actual device. To protect privacy and security, the WebUSB API also comes with a CORS-like system that prompts users for access to their devices to avoid abuse and Web-based fingerprinting. The system is also backward compatible with devices created before the standard's approval (if it gets approved).

W3C API for Google products

Remember when Pale Moon devs wrote:

This is sort of an open letter to the community, because we're facing some difficult times in the medium-to-long future with the way the web is developing away from actual standards, and "standards" being currently mostly dictated by the same people who run the biggest browsers (Google, Microsoft) and web services (Google again, media sites, Facebook) -- including the W3C being heavily influenced and/or strong-armed into accepting standards that rather describe the way "the big three" are behaving than what is logical or should actually be part of clear, separated domains for different technologies involved in creating the Web.

This API is for ChromeOS 100%

Re:What could possibly go wrong?

[softnewsit]

3 days

Re:That doesn't sound like it could ever be abused

[lgw]

That doesn't sound like it could ever be abused...

There have been some eye-opening kernel exploits found using the USB bus, but if that's limited to direct physical access it sound less scary. With this change? Eesh.

This is like a remote control for a chainsaw: it sounds handy, but you know it will end in tears.

Re: That doesn't sound like it could ever be abuse

[DarkOx]

Yes, give remote code the ability to talk directly to a DMA capable device. No problems there. This and webGL could literal be a disaster if someone slips up.

config gui held random

If this is widely supported, vendors will use it to build configuration GUIs for their USB devices.

No internet connection? Device doesn't work.

Vendor's website down? Device doesn't work.

Vendor out of business? Device doesn't work.

Vendor sold to EvilCorp? Pay $10/mo for a support contract to EvilCorp so your device that worked fine for years will continue to work.

Re: That doesn't sound like it could ever be abuse

[mlts]

Not if; when. I can see this code being used as a vector to flash rogue firmware to devices. DMA access? We already have a problem with hardware slurping keys out of RAM with DMA... now imagine websites that can get this ability. I can see ransomware using this ability to bypass many different things to ensure a computer is unusable, perhaps even firmware flashes so the computer's BIOS runs the ransomware on that level.

Re:If the driver doesn't exist for your PC's OS

[Junta]

I'd rather not bind USB devices to only work under a web browser.

It's the job of the OS to manage the hardware. To codify a bypass to let a particular application do whatever it wants seems unreasonable.

Note for USB devices, this is relatively more rare, as the USB forum codifies standards so that different vendors of common devices all look the same. A usb mass storage device has the same abstraction regardless of underlying technology. A usb network device is implementing one of a handful of network protocols (there have been some revisions on that setup). A usb camera looks the same regardless of vendor.

So if you have some wacky precious snowflake of a device that is so cutting edge that no driver model has been established for it, this lets a hypothetical web app skip a few months of hand wringing waiting for a standard. In exchange for this modest benefit, you are discouraging pursuit of standards, empowering javascript to do more insidious things, and discouraging device support for non-browser access (there are more applications on a system than a web browser, and encouraging device vendors to target the browser *instead* of the OS driver model is just nasty).

Re: That doesn't sound like it could ever be abuse

[JustAnotherOldGuy]

It's just JavaScript. What could go wrong?

Nothing. Nothing could possibly go wrong with this idea.

As we've seen, the Internet Of Random Things has had a unblemished, stellar record of security and privacy practices. This is because the developers and manufacturers that make Random Things Connected To The Internet are experienced, careful, and spare no expense when it comes to securing these wonderful, life-enhancing gadgets. Your privacy and safety are their first concerns.

What Could Go Wrong?

How the bloody hell did these two morons (this idea really confirms this) get a job as Google developers? There is no such thing as perfect software. It is virtually guaranteed this will be exploited. This "idea" is why JavaScript isn't supposed to have access to anything outside the browser. And the internet is so much safer now then when JavaScript was developed. And also it isn't like i-frames haven't been abused in the past. Yep, perfectly safe.