Google Developers Create API For Direct USB Access Via Web Pages

An anonymous reader writes: Two Google developers have uploaded an unofficial (for now) draft to the World Wide Web Consortium's Web Incubator Community Group (W3C WICG) that describes a method of interconnecting USB-capable devices to Web pages. The API, called WebUSB, allows device manufacturers to provide special "registry and landing pages" where they can host JavaScript SDKs for their USB-capable devices. Site owners can load these SDKs as iframes inside their websites, and allow a site to access and relay commands (via the iframe to the browser's WebUSB API) to the actual device. To protect privacy and security, the WebUSB API also comes with a CORS-like system that prompts users for access to their devices to avoid abuse and Web-based fingerprinting. The system is also backward compatible with devices created before the standard's approval (if it gets approved).

That doesn't sound like it could ever be abused...

That doesn't sound like it could ever be abused...

W3C API for Google products

Remember when Pale Moon devs wrote:

This is sort of an open letter to the community, because we're facing some difficult times in the medium-to-long future with the way the web is developing away from actual standards, and "standards" being currently mostly dictated by the same people who run the biggest browsers (Google, Microsoft) and web services (Google again, media sites, Facebook) -- including the W3C being heavily influenced and/or strong-armed into accepting standards that rather describe the way "the big three" are behaving than what is logical or should actually be part of clear, separated domains for different technologies involved in creating the Web.

This API is for ChromeOS 100%

Re: That doesn't sound like it could ever be abuse

[Ukab+the+Great]

It's just JavaScript. What could go wrong?

ActiveX again?

[Imazalil]

Did all the Active X developers end up at Google?

Re: That doesn't sound like it could ever be abuse

[JustAnotherOldGuy]

It's just JavaScript. What could go wrong?

Nothing. Nothing could possibly go wrong with this idea.

As we've seen, the Internet Of Random Things has had a unblemished, stellar record of security and privacy practices. This is because the developers and manufacturers that make Random Things Connected To The Internet are experienced, careful, and spare no expense when it comes to securing these wonderful, life-enhancing gadgets. Your privacy and safety are their first concerns.

I read the spec. USB device controls (cookies)

[raymorris]

I just read the spec. It might be more accurate to say this API allows USB devices to offer data of their choosing to whitelisted web scripts. The USB device decides what data it gives to whom; web sites can't do anything with random USB devices that don't explicitly offer web endpoints. At the end of the day, it actually doesn't effect security in a fundamental way at all - USB devices can ALREADY send arbitrary data to web pages, just in an ad-hoc way rather than a well-defined , standardized way.

In a way, it's a lot like first- party cookies , with the data on the usb device rather than on the hard drive.

The USB device defines:
https://login.ebay.com/ may ask me for "username".

No other web site can get anything from the USB device, and the whitelisted URL can only request the specified data item.

Security considerations are of course important. At the same time, JavaScript can ALREADY read your most important USB devices - it can see your keyboard presses and mouse movements. If a USB device wants to send data to a web page, it can already declare itself to be a keyboard and start sending keypresses. (Credit card readers have done exactly this for decades, pretending to be keyboards .) This API defines a standardized way for the USB device to send data in a more secure way than by pretending to be a keyboard.

Yes, one should consider security. With this, primary the security of the USB device- it's one other way for a malicious USB device to do bad things. But USB devices can ALREADY pretend to be a keyboard, use a hotkey sequence to fire up cmd.exe, and run any commands they want. Malicious USB devices are really bad with or without this new API, so the API doesn't increase risk by much.