Web Bluetooth Opens New Abusive Channels

An anonymous reader writes: Recently, browsers are starting to ship Web Bluetooth API, soon to become a component of Web of Things. Web Bluetooth will allow to connect local user devices with remote web sites. While offering new development and innovation possibilities, it may also open a number of frightening security and privacy risks such as private data leaks, abuses and complexity. Web Bluetooth as currently defined by W3C may introduce unexpected data leaks such as location, and personally-identifiable data. "There are numerous examples of data processing methods possible of extracting insight previously seemingly hidden," said Steve Hegenderfer, director of Developer Programs at the Bluetooth Special Interest Group. "With Web Bluetooth, core security and privacy responsibility is delegated to the already powerful Web browser. Browsers should consider the types of information made available to websites and act accordingly in designing their data privacy layers." Is pairing kettles with web sites a good idea?

No more web

The idea and the platform is a joke. The standardization guys must be drunk.

The foxes own the hen house

Web Bluetooth as currently defined by W3C may introduce unexpected data leaks such as location, and personally-identifiable data

The leaks aren't unexpected, all new web technologies are being designed that way on purpose. When advertisers make up the standards body, this is what we get.

Re:The foxes own the hen house

[AmiMoJo]

I don't really see the problem. Web site asks if it can access your Bluetooth device, just like it can already request your location and access to your webcam, and you click "no". Even better, you set the default to "no".

If the website can override that, you are screwed anyway because it already owns your computer.

Re:The foxes own the hen house

[sinij]

so the real question is whether such people needs to be protected? imo no.

As experts, we need to make informed decisions with greater public good in mind. Just like doctors and asbestos. The alternative is abnormal behavior gets normalized and security-conscious and privacy-aware choices are removed based on false consensus.

Re:Enhanced bluetooth, and legacy standards

[Princeofcups]

.... why is it a good idea to come up w/ yet another wireless standard when we have existing ones? Like if my rice cooker needs to connect to the internet, why not just use a legacy 802.11a chipset to let it link up to the internet at slow speeds? Do the things on the internet of things need to be high bandwidth as well, if they are not delivering intensive data, such as video data?

Wait until that rice cooker comes with an always on advertising screen. Won't happen? I can list out the gas stations I refuse to go to for this very reason. It's only a matter of time. Oh you want the one without advertising? Only Bloomingdales carries that, and it's a bit pricey.

Re:Enhanced bluetooth, and legacy standards

[unixisc]

Oh, I wasn't commenting on the privacy or intrusive aspects of the technology: depending on the 'thing', I happen to believe that an Internet of Things can be good or bad. I was commenting on the idea of extending Bluetooth to connect to the web, as opposed to just leveraging an existing but old technology that has ceded mindshare to more recent versions, like 802.11n or ac. But you are right - if it has an advertising screen, 802.11a won't do

About IoT itself, I've in the past said it's good for some things. Like remotely opening your garage or house using your cellphone if a family member has forgotten the keys. But having it on a kettle or coffee maker or a rice cooker makes no sense. On a fridge, it might, if you have the fridge scan QR codes to note what's in it, and when it has run out. So that while I'm shopping, it can remind me that I'm out of eggs.

On the advertising aspect, I just ignore them - at gas stations or elsewhere. Doesn't make me go out of my way to avoid them, and I refuse to pay more for the privilege

Re:Why not?

[Dutch+Gun]

Why not? Let's see... Internet of Thing botnets are already in the hands of script-kiddies / hackers... we don't really know who, and they've already demonstrated that they have the ability to negatively impact large portions of the internet. And that was the low hanging fruit. It really feels like we need to slow down a bit and figure out how to harden and secure our infrastructure from bad actors before we start inventing new ways for our devices to be used to attack a very important global resource.

Re:Enhanced bluetooth, and legacy standards

[Oswald+McWeany]

I do too... not the ones that display ads on their screens. That's harmless, I don't look at them, I look away.

The ones I avoid are the ones with the supplemental screens and speakers that play at loud volumes advertising their products. A screen I can deal with, a speaker. NOPE. Speakers hijack your ears.

Re:Can you hear me now?

[Miamicanes]

Or worse, Facebook will be able to "conveniently" unmute the headphones and raise the volume to make SURE you hear the ad they've embedded on the page.

FOSS

[Archfeld]

This may be the time when open source swoops in and saves the day by creating tools which will interfere and ignore certain intrusive 'standards' foisted upon the unsuspecting general public.
I wonder if a device can be engineered to broadcast an interfering signal along the Bluetooth band and just kill the ability to function.