Chrome 56 Quietly Added Bluetooth Snitch API

Richard Chirgwin, writing for The Register: When Google popped out Chrome 56 at the end of January it was keen to remind us it's making the web safer by flagging non-HTTPS sites. But Google made little effort to publicise another feature that's decidedly less friendly to privacy, because it lets websites ask about users' Bluetooth devices and harvest information from them through the browser. That's more a pitch to developers, as is clear in this YouTube video from Pete LePage of the Chrome Developers team. "Until now, the ability to communicate with Bluetooth devices has been possible only for native apps. With Chrome 56, your Web app can communicate with nearby Bluetooth devices in a private and secure manner, using the Web Bluetooth API," Google shares in the video. "The Web Bluetooth API uses the GATT [Generic Attribute Profile - ed] protocol, which enables your app to connect to devices such as light bulbs, toys, heart-rate monitors, LED displays and more, with just a few lines of JavaScript." In other words, the API lets websites ask your browser "what Bluetooth devices can you see," find out what your fridge, and so on, is capable of, and interact with it.

chromium?

Will this affect Chromium as well?

Re:chromium?

Of course, they're talking about a web bluotooth API not just some binary blob like the voice recognition one.

Re:chromium?

chrome://flags/
Web Bluetooth
Disable

Re:chromium?

[skids]

One could hope. But these days I don't tend to trust off switches, or indicators, like I used to. Better to figure out if there's a way to block it using a security setting untouchable from chrome's privilege level. I fear that patch will lead into dbus-land rather than a sane SELinux policy.

Re:chromium?

[hairyfeet]

Yeah we've seen how well switches work with Windows 10 which still phones home to spam your data no matter how many switches you flip.

As for TFA? Can we all accept that "Don't Be Evil" was nothing but marketing bullshit, no different than "Where Do You Want To Go Today?" or "Think Different" and had the same amount of effect on corporate policy as the other two catch phrases, IE none? As someone who was a big fan of Google (still remember how giddy I was when I got invited to the Gmail alpha) sadly it looks like my theory was right, that all corps simply become evil when they reach a certain size. Its like there is this threshhold, this line in the sand where before they reach that line they are just another company but once they reach a certain level of entrenchment and profitability? They go from coming up with cool new ideas and products to figuring out how to fuck competition with lobbying and doing any move to maximize profits no matter how sleazy and underhanded.

Its a fucking shame as Google used to be this cool think tank filled with super smart uber nerds that just threw cool new ideas at the wall and see what stuck, now they are just as douchey as MSFT and Apple, just another corp happy to assfuck their customers if it nets them another couple percentage points in profits they can show on the quarterly earnings report.

Re:chromium?

The 'evil' doesn't start once a certain size is reached. It starts when a company goes public. This is why Dell did the buyback to go private again - so the company doesn't have to be beholden to shareholders.

Re:chromium?

Yeah we've seen how well switches work with Windows 10 which still phones home to spam your data no matter how many switches you flip.

So if you flip the switch for sending typing and voice data to "off" does it still send that data?

Re: chromium?

All good then. Or not. The web is the worst application platform ever. Good that Google is doing its best to help killing it...

Re:chromium?

[Big+Hairy+Ian]

Aha so it's a remote Bluejacking vector! Visit a website on your phone and everyone in your office gets a Bluetooth connection from "Uploading Virus" or "Vote Twunt"

Re:chromium?

By definition, all publicly traded corporations are evil.
Their purpose has always exclusively been to protect the (investor) wealthy from legal actions.
This amounts to "privatize the profit, socialize the cost", hence "evil".
I can't imagine how to change corporate law to remove this veil and render shareholders responsible for their investment vehicles.
A corporation *might* start out as not deliberately evil, but it's impossible to escape the inevitable : money talks, bullshit walks.

Prepare for the era of Bluetooth spam 2.0

[fubarrr]

Prepare for the era of Bluetooth spam 2.0. Now, you don't even need to buy spammer hardware from Chinese, just write a website with bt spam script.

Re:Prepare for the era of Bluetooth spam 2.0

[The-Ixian]

Only if you are a Chrome user...

Re:Prepare for the era of Bluetooth spam 2.0

[Jeff+DeMaagd]

They also said other browsers support same but didn't say anything more specific, such as who and what versions they started supporting it.

Re:Prepare for the era of Bluetooth spam 2.0

[squiggleslash]

Do we know at this stage whether this feature requires permission from the user (like going fullscreen), or just happens without the user having any control over what's going on (like autoplaying videos)?

If the former, it's going to be hard to spam people, and it kinda makes sense as an API given the move to shift desktop applications to the web. If the latter, I'm uninstalling Chrome and f--- em.

Re:Prepare for the era of Bluetooth spam 2.0

[DontBeAMoran]

I'm uninstalling Chrome and f--- em.

f--- em? Is that like f-- twice, i.e. f-=2?

Re:Prepare for the era of Bluetooth spam 2.0

Why would you bother to do a website? It is much easier to spread the javascript malware using google or any other ad network.

Re:Prepare for the era of Bluetooth spam 2.0

[omnichad]

They're probably lamenting the lack of unicode support on Slashdot and they were trying for an em-dash, — (—)

Re:Prepare for the era of Bluetooth spam 2.0

[squiggleslash]

This is a family website so I wouldn't dream of writing swear words unredacted.

Re:Prepare for the era of Bluetooth spam 2.0

[chill]

This is also a geek website. Or, at least, it used to be.

ROT-13 is your sevraq!

Re:Prepare for the era of Bluetooth spam 2.0

[CronoCloud]

While I think swear words are overused in the real world and on slashdot, I would very definitely NOT consider slashdot to be a "family" website.

Especially not with all the Hot Grits and natalie portman jokes in the old days.

Re:Prepare for the era of Bluetooth spam 2.0

[ArchieBunker]

You know Firefox is going to follow suit as they have become Chrome Junior.

Re:Prepare for the era of Bluetooth spam 2.0

[AvitarX]

It seems incredibly unlikely to me me that this won't be treated the same as allowing notifications or using location.

Re:Prepare for the era of Bluetooth spam 2.0

Some random __native__ application (e.g. a web browser) wants to use the bluetooth radio on my machine. Do I get informed and do I get asked for permission? This is really a responsibility of the OS. Any OS allowing applications to access any component they feel like is a fucking joke, don't care if it's Linux or Windows or Mac.

Re:Prepare for the era of Bluetooth spam 2.0

[Carewolf]

Do we know at this stage whether this feature requires permission from the user (like going fullscreen)

Going to fullscreen these days do not require permission from the user. Chrome just goes to fullscreen and ask the user afterward. Google wellknowning this a giant security risk have "fixed" this by only allowing https connections to use the fullscreen feature... Because people who wants to do bad things could never get an https certificate.

This will probably be "secured" the same way, as it appears to be Google's goto solution when doing things right is too much bother.

Re:Prepare for the era of Bluetooth spam 2.0

[LinuxIsGarbage]

While I think swear words are overused in the real world and on slashdot, I would very definitely NOT consider slashdot to be a "family" website.

Especially not with all the Hot Grits and natalie portman jokes in the old days.

Or Goatse. . .

Re:Prepare for the era of Bluetooth spam 2.0

With Firefox, you can just download the source, remove the bt feature, then recompile. That's what open source is right? Just like Linux with systemd. Oh, wait.

Re:Prepare for the era of Bluetooth spam 2.0

[CRC'99]

For a tech web site, there's a lot of clueless idiocy in reply to things like this.

I work in the field which is using technologies like this on all kinds of things. BLE Beacons are being deployed everywhere - and being used on everything from transport notifications (your bus at stop X is running late!), to wayfinding applications in places like stadiums for non-locals (which can be translated to native languages) and doesn't require GPS coverage and Wifi triangulation isn't accurate enough, to package tracking and presence detection (mobile beacons, static readers). We have interactive displays that activate by putting a product with a tag in it on a 'display case' - and some that even have holographic presentations associated with them.

Merging this technology with web delivery is a massive bonus. It means a consistent interface for many devices. Android already supports BLE push notifications, allowing them in the base chrome technology opens up support to the entire environment - not just gimmick product X.

Forget the "OMG ZEE SPAM! ZEE PRIVACY!" crap, pull your heads out of the sand and use your imagination - because you'll be seeing this stuff everywhere in a few years time - but you probably won't even know you're using it.

Advancements

Now that pop-up blockers are really good (well, they don't fully block javascript screen blocks yet), we'll have to deal with ads flashing your room lights to match whatever auto-play video they've forced in your face. Can't wait for the first lawsuit when someone has a seizure or when a site dim the lights and someone stubs their toe.

Re: Advancements

[gweilo8888]

That's not even remotely what this is for. This will be used predominantly for more accurately tracking whom you are (even if you dump your cookies, switch machines etc.) by noting which bluetooth devices are frequently visible from your browsing device, and then pairing that with all the other info they already had on you. This is all about uncloaking the anonymous, and nothing else at all.

Re: Advancements

[ls671]

Then somebody has to come up with a tool that fakes all kinds of USB devices at random to fool the trackers...

Re: Advancements

[ls671]

err.. damn: BT devices ;-)

Re: Advancements

This will be used predominantly for more accurately tracking whom you are

I'd rather have epileptic seizures...

Re: Advancements

Sorry to break your bubble, but Chrome has very little interest in tracking you. They're in for IoT, and I'm sure it will ask you for your permission before it can look for BT devices.

Power

You have no _idea_ what my fridge is capable of.

Re: Power

According to my telemetry,
when you put your phone inside,
I see no signal.

Good fridge. Do not lose it.

Re:Power

[DickBreath]

I don't care how powerful your fridge is. I really don't. So don't be paranoid.

What I care about is what your fridge contains, whether I want to eat / drink it, and whether it is equipped to download the contents to me. My concern is whether the bluetooth would be the slowest part of the connection.

Re:Power

[fyngyrz]

Bluetooth my refrigerator down, and the science projects in it will become more powerful than you can imagine.

Re:Power

[DontBeAMoran]

We're sorry but your 19-months-old salad is not a "science project". Throw it away already.

Signed,
your roommates.

Re:Power

[wbr1]

That's a salad? I thought it was Bolognese...hmmm

Re:Power

[fahrbot-bot]

You have no _idea_ what my fridge is capable of.

As long as it stays cool under pressure.

(Ha, an HVAC joke on /.)

Re: Power

[qbast]

I thought it as well. But then it growled at me.

Re:Power

Don't bluetooth me bro!

More evil

[JaredOfEuropa]

So despite all ad blocking efforts from the user, this API provides a great pathway to do some digital fingerprinting and establish a cross-site identity. And if you happen to log in on certain sites that use this, they will be able to establish your real identity on any other site from there on in as well.

Re:More evil

It all depends on permissions and default permissions. It makes sense to have the ability for web apps to interface w/BT devices, and that can't happen unless the app can 'see' BT devices to begin with. Android already has this ability to see all your BT devices, and keep a record of them. It knows what they are, etc.

Like many features, this one has the potential for good use and we as ab use.

Re:More evil

If it can detect the same bluetooth device at multiple computers, it probably connect your home, work, and girlfriends computers to you as well.

Re:More evil

[werewolf1031]

It makes sense to have the ability for web apps to interface w/BT devices

Care to explain how this makes any sense at all? 'Cause right now all I see is the potential for massive security and real-world safety vulnerabilities.

Re:More evil

Why?
Because they can.

Pure and simple.
Probably someone said after a night on the town, 'hey guys this would be cool'. And it was made so.

Another reason to avoid anything coming out of Alphabet/Google/WayMo/etc.
your data is all they are after.

Re:More evil

[DontBeAMoran]

The solution is simple: do not use anything with bluetooth.

Re:More evil

[DontBeAMoran]

Your data is all they are after.

I wouldn't want to be in Brent Spiner's shoes right now.

Re:More evil

[edxwelch]

that's largely irrelevant. Your system is already easily fingerprinted using installed fonts, IP address, OS version, and plugins. Even "clock skew" can be used to finger print your PC.

Re:More evil

The solution is simple: do not use anything with bluetooth.

Better solution: use Firefox.

Re:More evil

The W3C spec is pretty clear about the privacy implications and how user agents should mitigate them including requiring the user to accept access to specific Bluetooth devices and to not give enough information to the Javascript to uniquely identify the device.

Re:More evil

[lactose99]

Yes so they can sell you evil things, ensure you're only doing evil deeds and make sure you're not moistening yourself with any unauthorized substances.

Re:More evil

[omnichad]

Nobody can figure out how to install the Fitbit app on their PC, but they will go to a web site.

If they had sane defaults—like prompting before discovery of BT devices and the user selecting the device to pair with, only showing the device that was allowed and no blanket ability to discover—then it might not be so bad.

Re:More evil

[omnichad]

It's a W3C draft right now.

Re:More evil

Lol, criticise nihilism and neoliberalism -> -1... Some words sure are difficult, and the "apostles of freedom" for sure have a difficult time handling people speaking up against them. But I guess it's a sign of the times, why learn something, when you can just be a pathetic wanker and make it go away? :D

Re:More evil

[driblio]

How did you work that out?
> This specification was published by the Web Bluetooth Community Group. It is not a W3C Standard nor is it on the W3C Standards Track.

Re:More evil

[driblio]

> This specification was published by the Web Bluetooth Community Group. It is not a W3C Standard nor is it on the W3C Standards Track.

Nothing to do with W3C.

Re:More evil

[omnichad]

I skimmed and skipped over all but the letters/numbers W3C where it showed they were using their platform but were otherwise unaffiliated. I'd edit my post, but this is Slashdot.

Re:More evil

[ArchieBunker]

The cookies and advertising scripts have already identified you long ago. Not to mention all the big names selling metrics to each other.

Re:More evil

[Polo]

Actually, it is MUCH more insidious than this.

Look at iBeacon or eddystone or equivalents.

Bluetooth beacons enable fine-grained location tracking, at 1/10 of a second intervals.

Retailers and others can place these in stores, track your location and behavior while walking through their store, and match it with a physical person at the register when paying with a credit card.

Re:More evil

[LinuxIsGarbage]

The solution is simple: do not use anything with bluetooth.

Better solution: use Firefox.

moz://a will rush to add it by v53. It may double RAM usage, but they won't really care.

Re:More evil

Exactly, next thing you know they'll start interfacing with webcams and microphones so they can spy on you!

Re:More evil

Unfortunately Firefox copies every crappy feature from Chrome without thinking why a feature even exists. Having a ideal machinery for user fingerprinting may be a good incentive for Google to implement a feature, but what would Mozilla benefit from it?

Re:More evil

[Slashdot+Junky]

Yes, it will still be bad. Mainstream users young and old are too clueless and will click allow/yes to a prompt without even considering that they are agreeing to far more given the extreme overreach of software and services these days.

Suggestions for alternative mobile browsers?

Laugh all you want, but I'll be using Firefox Aurora on my phone. Chrome isn't even installed.
Any suggestions for other good mobile browsers?

Re:Suggestions for alternative mobile browsers?

[arth1]

Any suggestions for other good mobile browsers?

Pale Moon. It's a fork of Firefox done when Firefox went batshit crazy, doing things like aping Chrome and embedding 3rd party bloatware in the browser itself.
Available for most platforms including Android.

The main problem with Pale Moon is that they're very quick to drop support for older systems, and they don't have a LTS release. For some, it's too much bleeding edge and not enough cutting edge.

It's official.

[werewolf1031]

Google has gone completely bat-shit insane. How on earth did they think this was a good idea, let alone actually go forward and implement such a thing in the release product?

Just mind-boggling.

Re:It's official.

[Oswald+McWeany]

Oh, I understand how this can be very good business tool.

One example: Your company produces a device that can be configured using a webbrower. Your BT enabled widget can now be set up and controlled just by going to a web page. No platform specific code required making it cheaper to set up and maintain. The end result is somewhat respectable.

Of course, this opens up a whole bunch of security holes. Your web browser opens up a BT enabled headset to listen in on the microphone. Even better a BT camera... Set your thermostat to an ungodly temperature. The security flaws are self-evident for anyone with half a brain.

If we assume this would only be used for good though, this would be fantastic technology. It needs good security though. Request permission for each device from each domain separately and require an admin password to authorize each and every device.

Re:It's official.

Home automation with a bluetooth interface. Doesn't google want in on that market?

Re:It's official.

[tepples]

require an admin password to authorize each and every device.

Getting the user in the habit of entering the admin password that often is a good way to phish admin passwords.

Re:It's official.

[DontBeAMoran]

Maybe you forgot that Google has been in that market for two years already.

Re:It's official.

[Oswald+McWeany]

Hopefully they won't have that many BT devices they WANT the web to connect to.

If I'm reading Slashdot and it pops up a window that Slashdot wants to connect to my bedroom video camera* I'm not going to give it permission. The times I want a domain to be able to access a Bluetooth device will be few and far between.

*I don't really have one, just an example

Re:It's official.

you overestimate the willingness of users to read the message. It should be more like pairing process and each domain/javascript module gets its own* virtual BT MAC address. The user would then have to physically go to the device to enable the pairing and data transfer.

*virtual BT MAC management is beyond the scope of this comment.

Re:It's official.

[omnichad]

They want to replace all native apps with web apps, so they can be involved. They already have your webcam, gamepad, speakers, and microphone. This is just the last important piece for them.

Re:It's official.

This is why you don't use web apps. Or "cloud storage", for that matter.

Re:It's official.

Block it via policy change. See http://winintro.com/?Category=Chrome&Policy=Google.Policies.Chrome%3A%3ADefaultWebBluetoothGuardSetting

Re:It's official.

[Carewolf]

Google has gone completely bat-shit insane. How on earth did they think this was a good idea, let alone actually go forward and implement such a thing in the release product?

Just mind-boggling.

Well it made perfect sense as the follow up to WebUSB and WebMIDI (yes those are real things implemented in Chrome).

Re:It's official.

[LinuxIsGarbage]

It needs good security though. Request permission for each device from each domain separately and require an admin password to authorize each and every device.

It's already a piss-off how many sites want to know my location, or want to add notifications to Chrome. Now there will be one more annoying popup from the web browser itself.

Re:It's official.

lol, it's Google, dude. How do you think they make their money?

Excuse me, I'm from Computer Services

[ausekilis]

"Excuse me, I'm from the computer services group, and your A/C appears to be acting up... It's reporting . Please go to this website and click 'Accept' to all the prompts and we can diagnose it remotely".

Yea, no problem catching idiots with that...

Re:Excuse me, I'm from Computer Services

You laugh, but some refrigerators now have a little speaker that will tweet out a high frequency tone/diagnostic code that a phone tech can receive when you call for service.

Re:Excuse me, I'm from Computer Services

[DontBeAMoran]

Ok, I clicked 'Accept' to all the prompts, can you tell me the results of the diagnosis?

Also, is it normal that my fridge is trying to cook my ice cream?

Thank you.

Re:Excuse me, I'm from Computer Services

That's... disturbing.

Re:Excuse me, I'm from Computer Services

This was an actual exchange I had with warranty support for my new dryer:

WS: How can I help you.
Me: My dryer isn't working. Its model number, blah blah.
WS: Please take your phone and place it near the company logo, make sure the dryer is plugged in and then hold down the start button until you hear a tone.
Me: Seriously? I've worked in phone support before, so if you want me to make sure it is plugged in, I can just do that without jumping through weird hoops.
WS: No, it allows my diagnostic computer to interface with the machine. But, for the record, I do get objections to doing this a lot.
Me: Ok, here goes. *modem fuzz noise from dryer and phone* *pause* *ding dong ding*
WS: Well, your igniter failed a self-test so we will send out a tech to fix it.

Re:Excuse me, I'm from Computer Services

[The-Ixian]

Well... that's great an all, but what would be really cool is if we could take out that whole human intervention and get the diagnostic code directly. An Internet connection to your dryer should do the trick...

Re:Excuse me, I'm from Computer Services

[samwichse]

My washer and dryer have NFC (not internet) and can do just this. Actually my fridge has the acoustically coupled modem thing and can also do this.

Download the app->answer 3 yes/no questions, follow on screen instructions, receive diagnosis right on your phone.

Sam

If I'm forced to update

[JustNiz]

This will be the first thing I block.

Wheres firefox support?

[LiENUS]

I just got done setting up a heart rate monitor on a machine at a clinic where we use a web based software package on firefox. The bluetooth stuff is one of the last things requiring a native application. I wonder how much longer we'll need any native software at all with stuff like this coming out.

Re:Wheres firefox support?

[drinkypoo]

I just got done setting up a heart rate monitor on a machine at a clinic where we use a web based software package on firefox.

Great. So now you have to worry about whether Firefox updates and breaks it.

Re:Wheres firefox support?

[Oswald+McWeany]

And Malware reporting fake heart-attacks.

Re:Wheres firefox support?

[LiENUS]

Breaks what, everything's standards compliant. If a firefox update ever breaks the software I just switch to chrome. I use firefox because I have a configuration suite that sets up everything automatically for me. Manual configuration is still possible with any other browser.

Re:Wheres firefox support?

[LiENUS]

Good luck with that, outside of mozilla.org everything is blocked.

Re:Wheres firefox support?

[Actually,+I+do+RTFA]

I wonder how much longer we'll need any native software at all with stuff like this coming out.

Forever, if you want to be able to store your data on your machine, not pay rent to keep using your cloud software, work offline, not have forced updates remove features or totally break your software, be constantly spied upon, or otherwise be at the mercy of losing everything because of an "update" in the EULA.

Re:Wheres firefox support?

[LiENUS]

if you want to be able to store your data on your machine

You generally wouldn't keep EKGs on the machine doing the monitoring if you want to keep them around, you'd store them with the patient record so no problem here

not pay rent to keep using your cloud software

It's a web application running on a local server so...

work offline

It runs on a local server so once again.... not an issue

not have forced updates remove features or totally break your software

Forced updates is kind of the point of using web software, thats a benefit not a downside.

be constantly spied upon

These are work machines so once again you've listed a benefit. Employees don't exactly have an expectation of privacy on them.

or otherwise be at the mercy of losing everything because of an "update" in the EULA.

You're a bit paranoid aren't you?

Connected devices

[grasshoppa]

I'll be honest, I just don't get the appeal. What the fuck do my appliances need connectivity for?

Re:Connected devices

[Jeff+DeMaagd]

I don't either. I don't intend to buy such appliances. They'll be woefully out of date for most of their useful life. They're often insecure as shipped and I doubt a notable number of them will ever get updates.

Re:Connected devices

How are the appliances going to join M2M (machine to machine) facebook, if they don't have connectivity? In there they will share funny and not so funny stories of their masters and plot world domination.

Re:Connected devices

To make sure you are being a good citizen.

Re:Connected devices

[DickBreath]

Imagine if your phone had a 2nd factor authentication app. Google could send a packet to an app on the phone. The phone and the browser could communicate. The browser communicates back to the web site. The web site can authenticate that it is really you. You can compare two pictures, one on your phone, and one on the web page to be sure they are the same and click OK. Or just click OK if you don't care. Or this could be configured so that you click OK on the phone so that someone else using a nearby browser can't log in to your account. The configuration you choose would just depend on your level of paranoia.

If you aren't that paranoid, then you wouldn't even have to take your hands away from whatever you are doing. The pr0n site would just let you right in to your account.

Re:Connected devices

[Lisias]

IoT . Google wants to control your IoT.

Re:Connected devices

[sl3xd]

Not intending to buy such appliances is only an option right now.

We don't know if that option will remain open in the future.

Personally, I think it's good to call out the bullshit now before it gains any momentum.

Re:Connected devices

[sl3xd]

I'm generally in the camp of "If your 2nd factor is an app you're doing it wrong".

2nd factor is pretty worthless if it doesn't require human interaction, otherwise, you get malware working with a keylogger to silently connect over Bluetooth and obtain valid 2nd factor as long as you're within range.

Re:Connected devices

They don't, but what would be better way to harvest user data than the devices around the computer? The BT devices each have unique addresses, so they provide identity for user. And from the MAC addresses one can deduct the existing device inventory which is useful for targeting ads. If the company did any evil, which Google would not, the company could also communicate with the microphones, GPS receivers, heart rate monitors and others which would provide all the information a advertisement company would want to get but are afraid to ask.

Re:Connected devices

[DontBeAMoran]

Maybe we'd finally learn what happened to all the missing socks, though.

Re:Connected devices

The companies who make these appliances, that's who this 'miracle convenience' is for. That way they can view useage & breakage metrics, and design future models to last just barely into the warranty. As you stated who cares to check an appliance whilst mobile. Is the laundry really done? Who cares! It'll be done when it's done, naturally. So again, I am certain it's for the proverbial Them.

Re:Connected devices

They don't fo course.
Shop tried to sell me a dishwasher that connects to wifi. This has no use, but apparently, some people think it is a gimmick and so it sells. Needless to say, I bought another one. Also told the salesman that, as a network security expert, I wouldn't dream of owning such a thing.

Re:Connected devices

[Lisias]

Do you see what I mean?

Re:Connected devices

[LinuxIsGarbage]

I'll be honest, I just don't get the appeal. What the fuck do my appliances need connectivity for?

I like tech and all, but in my experience, the best, most robust appliances have minimal electronics. The KISS principal.

Fridge with mechanical thermostat, and mechanical defrost timer. Dishwasher, clothes washer, dryer with mechanical timers. Ranges with mechanical thermostats. Hell if you don't religiously use setback functionality, a mechanical thermostat is more reliable than a normal programmable, let-alone a NEST.

These appliances cost less, and run for decades without issue. And easier to find parts or jury-rig something when they do cause problems. Rather than "Logic board failed, new range is cheaper than a new logic board"

Re:Connected devices

[rsborg]

Not intending to buy such appliances is only an option right now.

We don't know if that option will remain open in the future.

Personally, I think it's good to call out the bullshit now before it gains any momentum.

While simultaneously thinking of and implementing ways to kneecap such devices' traitorous behavior.

Re:Connected devices

[flink]

Not intending to buy such appliances is only an option right now.

We don't know if that option will remain open in the future.

Personally, I think it's good to call out the bullshit now before it gains any momentum.

So don't give 'em your WIFI password. I don't understand the hand wringing here. You're not obligated to use the online features of "smart" devices. I buy non-connected when I can. When I can't I just turn the networking off.

For example, I just bought a new thermostat. I got this particular model because it had the ability to communicate with some non-WIFI 2.4GHz remote temperature sensors I wanted to install. It also happened to have the ability to phone home over WIFI to let me remote control my heating system through the manufacturer's website. Guess what? I just skipped the WIFI portion of the install, and paired the thing with the sensors. Is the sensor interface vulnerable? Probably, but what's the threat model? Some asshole schleps a bunch of specialized radio equipment within 500' of my house and feeds some false readings into my thermostat?

However, I do think we should hold embedded manufacturers liable for any botnets that their devices participate in if the manufacturer doesn't provide some sort of automated update that is kept current with known threats.

Re:Connected devices

So true. Try to buy a dumb TV. Good luck with that. How long before every appliance is an IoT device? At least now you can simply refuse to set most up to your wifi. How long before you get a "Device will not work without wifi connection" prompt every 30 sec you refuse to give it your wifi password?

Re:The Absurdity of Atheism

It's been awhile since we've had jesus freaks spamming shit here. It's nostalgic of the time when we actually fought against ignorance. Today we're only 'allowed' to fight ignorance when it isn't islam.

Fingerprinting

And of course this won't be used to better refine browser fingerprinting techniques. At all.

Re:Fingerprinting

[tepples]

I don't see how Bluetooth helps with fingerprinting users if the user has to first click "Allow for https://example.com/".

If you are addressing this from a position of objecting to fingerprinting in general: The easiest way to fingerprint users is to require a Google, Facebook, Twitter, Microsoft, or email account login to read past the abstract. As browsers add anti-fingerprinting measures, watch more sites become "free reg. req."

... in a private and secure manner

[Errol+backfiring]

your Web app can communicate with nearby Bluetooth devices in a private and secure manner, using the Web Bluetooth API

Given the fact that even the battery API was abandoned for privacy reasons, I just don't believe it is ever possible to do this securely and privately. This is just an attack vector begging to be exploited.

You mean this is serious?

[mmell]

I was just about to upmod it - I thought this guy was going for a "+5, Funny".

Re:You mean this is serious?

Bye Bye Chrome! Of course those of us not using computers with bluetooth hardware don't have to worry, but still an asshat move that will make me never use/install chrome again!

180 from "Don't be evil"

[sinij]

This is complete opposite from "Don't be evil". This is outright intrusive and evil.

Re:180 from "Don't be evil"

[kbonin]

If true, this is a Microsoft level move: "increasing our market share is more important than your security or privacy".

Re:180 from "Don't be evil"

Companies don't have ideals -- they have slogans. The idea that a company (or any human being with a profit motive) can be trusted to "not do evil" is laughable. NOBODY can be trusted when it comes to money.

Re:180 from "Don't be evil"

[sinij]

Google is a company run by techies. I liked to pretend that we are better than empty BA suits or bozos in marketing, but turns out that this is not the case.

Re:180 from "Don't be evil"

[DickBreath]

Microsoft did a 360 move from "be evil".

Re:180 from "Don't be evil"

[sl3xd]

Google was a company run by techies. Techies haven't been making the calls for quite some time now - Google's advertising clients do. Or have you been willfully ignorant of the past decade?

Re:180 from "Don't be evil"

[sl3xd]

This is complete opposite from "Don't be evil". This is outright intrusive and evil.

Big brother is real... he's just not a government employee, nor does he work for Apple or Microsoft.

When Google does absolutely anything that's pro-user and pro-privacy at the cost of advertiser intrusiveness, I'll re-evaluate that statement.

Re:180 from "Don't be evil"

[ls671]

NOBODY can be trusted when it comes to money.

False, send me 10,000$ and I will prove it to you.

Re:180 from "Don't be evil"

google minus NT = "Dont be evil becomes do be evil "

Bring back windows NT !!!

Re:... in a private and secure manner

[drinkypoo]

Given the fact that even the battery API was abandoned for privacy reasons, I just don't believe it is ever possible to do this securely and privately.

Chrome allows filesystem access. You give permission for an app to access a specific location in your filesystem. I don't see why you can't just be asked whether you want to give permission to do Bluetooth things, through the same mechanism.

Silly Rabbit

Google has gone completely bat-shit insane.

Insane like a fox.

You must think that you are their target customer.

Re:Silly Rabbit

Customer? More like a product, as you, as a google user, are being sold to any company who is willing to pay.

Re:... in a private and secure manner

Silly. Using a computer is an attack vector. Go live in the mountains tinhatfoilboiiiiii.

Google is doing what advertising companies do

[sjbe]

So despite all ad blocking efforts from the user, this API provides a great pathway to do some digital fingerprinting and establish a cross-site identity.

You are aware that Google is an advertising company right? People tend to forget this fact and how it will tend to incentivize them as an organization. Your privacy is really of no concern to them unless it creates a PR problem.

Been there, done that,

[Lisias]

ActiveX.

Good luck with that. We will need it.

Re:Been there, done that,

[ls671]

So this should be called ActiveY? Active, why?

Re:Been there, done that,

[Lisias]

So this should be called ActiveY? Active, why?

Because the passive ones are us. =P

Each 10 years some company tries a stunt like that. Five years later, after a lot of pain and tears, we manage to survive the mess. And then another company do it again.

It's amusing how we, The People, manage to allow it again and again.

Ransomeware Gold

[MAurelius]

How long before the criminals use the Bluetooth connection to turn off various important household systems? When it's -10 degrees F/ -23 C in the upper Midwest of the US and in Canada it is highly inconvenient to get a message to the effect that "Your Carrier Xfinity Furnace has been turned off and locked by us by remotely disabling the furnace control board firmware. To receive the code to unlock it and restore heat in your house, please submit 2 Bitcoin (about US$ 2000) to the following account before your pipes and your family freeze. And by the way, we also opened your garage door for your convenience and more rapid cooling." I would be very interested to know how to disable the Bluetooth API in the new versions of Chrome/Chromium. (I run both).

Re:Ransomeware Gold

[omnichad]

There's already microphone and webcam APIs that are just as useful to criminals - but both require permission.

Re:Ransomeware Gold

[mvdwege]

Rename google-chrome to google-chrome.real. Then create the following shell script and name it google-chrome:

#!/bin/sh

sudo modprobe -r btusb
google-chrome.real
sudo modprobe btusb

Voila, as long as chrome is running, no Bluetooth. And yes, I'm only semi-joking.

Re:Ransomeware Gold

[ls671]

I would be very interested to know how to disable the Bluetooth API in the new versions of Chrome/Chromium. (I run both).

Just wrap all your devices in tinfoil and connect to ground, it works well here...

Re:Ransomeware Gold

[ls671]

I suggest creating a group for bt access and change the permissions in /dev so only members of that group can access it instead. I already browse the web using a user that has limited permissions.

Re:Ransomeware Gold

[MAurelius]

Excellent idea. This is my last-ditch maneuver if there is no user-selectable preference box to 'Disable Chrome browser access to Bluetooth devices.' Do I have to wear the matching tinfoil hat for this to work?

Re:Ransomeware Gold

[MAurelius]

Very practical idea for the many people who don't believe in the IoT. Thanks. Am I missing something or is this a spectacularly bad and abusable security design problem by Google? Or stated another way, who is paying Google to open this hole?

Re:Ransomeware Gold

[MAurelius]

Interesting idea. The password request would be a reminder that it's a modified version of chromium.

Re:Ransomeware Gold

and how many people actually *read* before they click on something?

Would you prefer that it be exclusive to an OS?

[tepples]

Would you prefer that only native apps be able to access Bluetooth devices? Then companies will just make the required native app exclusive to the operating system other than the one that your PC runs. For example, one company might be tempted to make a device's corresponding native app exclusive to macOS. Another might be tempted to make its own exclusive to Windows.

Re:Would you prefer that it be exclusive to an OS?

[skids]

Would you prefer that only native apps be able to access Bluetooth devices?

I'd prefer all my "apps" top be applications, personally, with auditable source code that doesn't get automatically "upgraded" under my feet at a schedule of someone else's choosing.

Re:Would you prefer that it be exclusive to an OS?

[Misagon]

Hell Yes, I want only native applications to access my Bluetooth devices: Only the apps that I choose to install and only those which I give permission to access Bluetooth devices directly,

That's two layers of security right there that I don't want to trade away.
Building cross-platform apps is another problem.

Re:Would you prefer that it be exclusive to an OS?

Would you prefer that only native apps be able to access Bluetooth devices?

No, I prefer that no software except the Bluetooth driver recognize a device as being Bluetooth. As far as any application can tell, a Bluetooth headset with microphone should be indistinguishable from any other stereo audio output and mono audio input.
Even beyond that, no software should have permission to chose its own audio devices. Unless the user chooses otherwise (preferably in an OS level controller), all devices should only know that there might be a default output and a default input. The audio output selector should then map software output to specific hardware, without any indication at all to the software.

I'm not familiar with much else that Bluetooth is useful for, so I suppose there might exist a format where it does not make sense to restrict details to the driver, but I'm having trouble imagining one.

Re:Would you prefer that it be exclusive to an OS?

[tepples]

Hell Yes, I want only native applications to access my Bluetooth devices: Only the apps that I choose to install [...] Building cross-platform apps is another problem.

But "another problem" is exactly the problem to which I was referring. Good luck "choos[ing] to install" a .msi on your Mac or the contents of a .dmg on your not-Mac.

Re:Would you prefer that it be exclusive to an OS?

[omnichad]

By definition (this being a web API), the devices that require this already phone home through whatever app and the remote end of the API can be disabled for your old version anyway. This means Linux support where there would normally be none.

Re:Would you prefer that it be exclusive to an OS?

[omnichad]

I'm not familiar with much else that Bluetooth is useful for, so I suppose there might exist a format where it does not make sense to restrict details to the driver, but I'm having trouble imagining one.

Non-wifi smart things, like a Fitbit would be one. Anything that exists solely to collect data to then be processed by a remote server would qualify.

Re:Would you prefer that it be exclusive to an OS?

The only thing I can think of that I care about thats bluetooth is my headphones, and an OBD2 adapter I use in my car. I couldn't care less if a webpage can communicate with either of those, I don't want it.

Re:Would you prefer that it be exclusive to an OS?

[LinuxIsGarbage]

And preferably having most or all functionality without having to communicate with the author's server. For example Fitbit makes a native Windows application, but it just transfers data from the tracker to their servers, and requires their website to view any of it.

Re:Would you prefer that it be exclusive to an OS?

[Actually,+I+do+RTFA]

Would you prefer that only native apps be able to access Bluetooth devices?

I'd prefer if only (a) offline and (b) opt-in programs have bluetooth permissions. Visiting a random webpage is not the same as downloading and running an program.

Re:Would you prefer that it be exclusive to an OS?

[tepples]

Once you download a program, how do you go about porting it to the operating system that your PC or smartphone uses so that you can run it?

Re:Would you prefer that it be exclusive to an OS?

[Actually,+I+do+RTFA]

Really? Leaving aside the fact that I've never had that problem, finding something just searching for software designed to run on my platform from the start, I have a Java virtual machine, DosBox, other virtual machines, and the ability to compile C/C++ to any architecture (pretty much true). Further, Bluetooth GATT is a standard protocol, so I can use any old software with any peripheral.

Re:Would you prefer that it be exclusive to an OS?

[tepples]

Can your collection of compatibility tools run the contents of both a .dmg and a .msi?

Re:Would you prefer that it be exclusive to an OS?

[Actually,+I+do+RTFA]

Well, first, yes, trivially, because my complete suite of compatibility tools includes the ability to use whatever OS I need (well, among Windows/OSX/Linux). But more easily, possibly, depending on what the contents of the .dmg/.msi file are (both are primarily containers that can be accessed ). More precisely, other than games, I'm not sure there is close source software that is only available on one OS or another that I use. And yes, I can recompile the source on my OS of choice.

Re:Would you prefer that it be exclusive to an OS?

[tepples]

my complete suite of compatibility tools includes the ability to use whatever OS I need (well, among Windows/OSX/Linux)

In other words, you bought a Mac and a Windows license to run in VirtualBox for said Mac. Did I guess correctly?

Re:Would you prefer that it be exclusive to an OS?

[Actually,+I+do+RTFA]

Close: I bought a second computer, because the license fee was more than a refurbished computer.

Re:Would you prefer that it be exclusive to an OS?

[tepples]

That's fine for those people who use only desktop computers. But not everyone has backpack space to carry both a MacBook and a Windows laptop.

Re:Would you prefer that it be exclusive to an OS?

[Actually,+I+do+RTFA]

Sure, but a MacBook can tri-boot into Windows, Linux and OSX (heck, it could also handle a BSD variant as well). If you want a laptop, the extra $20 of difference between a refurb and a license isn't that much.

Or, you can run WINE on a MacBook.

Re:Would you prefer that it be exclusive to an OS?

[tepples]

Or, you can run WINE on a MacBook.

I don't see how, seeing as Fitbit is rated "Garbage" in Wine AppDB.

Another question: If a Mac can run Mac-exclusive applications, Linux-exclusive applications, and Windows-exclusive applications, but computers from other computers can run only Linux-exclusive applications and Windows-exclusive applications, then how do other companies sell computers at all?

Re:The Absurdity of Atheism

[DontBeAMoran]

The real question is, why is such a wall of text, posted by an AC and with a score of -1, auto-expanded to full view while some real comments are not?

Makes me miss Microsoft Office macros

[lucasnate1]

This reminds of the good old days when you could run code in documents and infect people with them. The only difference is that at least in that case, this was limited only to documents and only from microsoft. Nowadays, since everything is being to pushed to the web, this is much worse.

Re:Makes me miss Microsoft Office macros

[Mike+Van+Pelt]

You can still run code in documents. It is one of the major vectors for the spread of Locky.

Granted, Microsoft sets macros disabled by default, but all that's necessary is for the document with the Locky downloader to display "Secure Document: You must click "enable content" in order to view it." Two problems: One, Microsoft's "Click this to let any random malefactor ream you with malicious macros" button is given so innocuous a name as "enable content", and two, way, way too many people fall for it. (See how often the Locky folks succeed at this tactic.)

I think it's good

[iampiti]

...provided that the user is informed when a website wants to use it and it's strictly opt in. Firefox works this way regarding sharing of location information.
My point is that everything that lessens the dependence on native apps is good because then it's less difficult to change platforms.

Re:I think it's good

Why can't the appliance just stay off networks entirely. And post its wonderful data on an attached screen? Sure, you would not be able to check "if your refrigerator is running" remotely, but honestly who cares?

Smart refridges already estimate inventory/volume of foods as they pass in & out of the door. Can it not display "GET MILK, BEEP" when needed? Isn't that good enough? I mean if it tells us we're running low on milk & we forget... should not we just wizen up & be more attentive or (heaven forbid) make a shopping list? Who needs networked f'ing abilities?

The manufacturer that's who. SO they can determine 'useage & breakage' metrics, and design future products around just baaaarrrly making it to the warranty before they expire. This IoT idea... yeah it's not for us. It's for them.

Re:I think it's good

[MatthiasF]

Yes, let's open up web browsers into becoming a huge security and privacy invasion vector so you don't need to use "native apps" because it's "difficult to change platforms".

Meanwhile, any application developer with half a brain should be making their software in a method that is easily ported to the three major platforms.

But no, we should not expect them to do that. Instead, let's just open the browser up to do everything under the sun and hope nothing goes wrong. /s

Re:I think it's good

oracle made billions with java /$

Re:I think it's good

[ls671]

... making their software in a method that is easily ported to the three major platforms. ...

Not sure what you mean here: AIX , OS2 and Digital Unix?

Re:I think it's good

Pssh, get half a brain. OP clearly meant VMS, Plan 9, and BeOS.

Re: I think it's good

I think you mean it's easier to change operating systems. If all your web apps only work with chrome or Firefox, you're still stuck with that platform.

It doesn't really change much IMO. To make matters worse, the browser platforms change far more frequently than an OS. Version changes happen automatically, overnight. Have fun loading up an old browser version when your favorite web app stops getting the monthly updates needed to keep ahead of the never ending sea of change. With an old program at least I can still run a VM (with restricted networking if required).

Maybe that's the future. VMs for old browser versions with security padded on top.

CM

Make it stop!

[goombah99]

Google is the new Microsoft which was the computer equivalent of the Fuller Brush salesman shoving his foot in your door. I hope this is OFF by default.

Re:... in a private and secure manner

[sl3xd]

The difference being that filesystem access is still gated by the OS.

Re:... in a private and secure manner

[DontBeAMoran]

But you can't even trust the tin foil since it's been made with computer-controlled machines.

dat range tho

[bobmajdakjr]

bluetooths range kinda sucks and even more so with walls though. :/

Re:The Absurdity of Atheism

Sigh. Go ahead and fight Islam all you want. Fight Christianity and Judaism too while you're at it. Meanwhile, the rest of us only want tech news without the alt-right choir section in the comments of every story.

Re:The Absurdity of Atheism

[JustAnotherOldGuy]

It's been awhile since we've had jesus freaks spamming shit here. It's nostalgic of the time when we actually fought against ignorance. Today we're only 'allowed' to fight ignorance when it isn't islam.

The funny thing is that this nutter is almost certainly turning people off to his kooky fairy tale rather than making them interested in it.

Re:The Absurdity of Atheism

[JustAnotherOldGuy]

when no man has ever traveled through all time and space.

But I've done both, as has everyone here.

Show me someone who hasn't traveled through time and space and then maybe I'll pay attention.

Your Exact Identity All The Time

Did you register that fancy new Bluetooth appliance for the manufacturer's warranty? Because if you did, now Google can obtain your exact physical location any time it wants.

Device classes of which an OS is not yet aware

[tepples]

No, I prefer that no software except the Bluetooth driver recognize a device as being Bluetooth. As far as any application can tell, a Bluetooth headset with microphone should be indistinguishable from any other stereo audio output and mono audio input.

That works because your PC's operating system is aware of "stereo audio output" and "mono audio input" as a device class. Are the major PC operating systems aware of, say, "CNC mill" or "3D printer" as a device class yet?

Re:Device classes of which an OS is not yet aware

Yeah, because I really want a Web app to be able to control a machine that chews channels through solid steel, and can do thousands of dollars of damage to itself in seconds.

Compiled a Windows app for your Mac lately?

[tepples]

Good luck compiling "auditable source code" that depends on Cocoa for anything other than macOS, particularly if it depends on the parts of Cocoa that GNUstep doesn't replicate. Or vice versa: Good luck compiling a Win32 application and device driver on macOS or Linux. (Wine doesn't run drivers.)

Re:Compiled a Windows app for your Mac lately?

You might have heard of this marvelous procedure. It's called "porting".

Re:Compiled a Windows app for your Mac lately?

[tepples]

I have heard of porting. It requires either A. the application's publisher to be willing to do so, or B. the application to be free software and the user to have the resources and skills to do so, including a corporation or LLC to qualify for an EV code signing certificate in the case of something whose Windows port would need a driver.

Pretty please I want a pony

[easyTree]

or 0.1 BTC if you want your lights back on

Granular permissions

[John+Allsup]

Something Android does, or tries to do at least, is to have a granular permissions system for apps. Chrome should do similar for websites, where by default those things capable of causing problems are switched off. For sites that genuinely make good use of Bluetooth (and where the user is happy with this), it should be easy enough to grant permissions. In addition, when it comes to granting permissions, there is the opportunity to add information, and to hide/detect more dangerous choices.

Re:Granular permissions

[Guidii]

This:

Chrome should do similar for websites, where by default those things capable of causing problems are switched off. For sites that genuinely make good use of Bluetooth (and where the user is happy with this), it should be easy enough to grant permissions.

is already true. Bluetooth devices aren't visible to web apps without user permission. Source: https://webbluetoothcg.github....

Re:Granular permissions

[Actually,+I+do+RTFA]

Android doesn't have granular permissions, it has enumerated permissions. iOS does have granular permissions.

Re:The Absurdity of Atheism

[omnichad]

Hey, at least he's not promoting ad-blocking with an unblockable ad.

Meet the new boss, same as the old boss.

[PingSpike]

Now that firefox has withered away and IE "edged" its marketshare into the toilet to the benefit of Chrome its time google start flexing its muscle to abuse its dominate position.

Re:Meet the new boss, same as the old boss.

[chefmonkey]

I find it amusing that you would say Firefox -- which has approximately as many monthly active users as the population of the United States -- "has withered away". It's easy to get lost trying to untangle percentage market share from absolute market share.

Don't Trust Google Anything

Another reason not to trust Google **anything***

Re:... in a private and secure manner

[gravewax]

All fine and good until the next browser vulnerability. Chrome is one of the better browsers security wise (at least compared to Firefox) but their is still a regular flow of vulnerabilities. Add in stupid users who click yes to anything as they don't understand the implications.

Wow.

[SeaFox]

"The Web Bluetooth API uses the GATT [Generic Attribute Profile - ed] protocol, which enables your app to connect to devices such as light bulbs, toys, heart-rate monitors, LED displays and more, with just a few lines of JavaScript."

Forget ransomware. We're one bluetooth-enabled pacemaker away from hostageware.
"Do not step away from your computer, until you complete the following form to send us 4.9 BTC..."

Re:Wow.

[serviscope_minor]

, heart-rate monitors,

Yeah, for some reason the Bluetooth organisation chose to codify them in the standard with their own little 16 bit UUID (0x180D). Think things like those Polar ones for sports.

Re:The Absurdity of Atheism

I didn't find any reason for it. If there was a problem, it is gone now.

Not at all

[Assembler]

Is this even a tech blog anymore? These assumptions about privacy loss only make sense if you haven't done even the most trivial reading of the spec. The docs are here: https://developers.google.com/... A site can request to connect to a bluetooth device. Chrome prompts the user for which one (or none), and the website can then interact with the selected device. I did less than a minute's worth of research. It's even mentioned in the article, but then the article just goes on to assume that the user has granted permission to the page to access every device they have somehow. Maybe I've missed something, but nobody seems to be talking about the actual implementation.

Re:Not at all

You're missing that the spec is sitting on top of a slippery slide. The next feature will be to "Always allow website with device XY", then "Allow website with all devices", and finally the prompt will be removed and access will be granted by default because the prompts were too confusing to the user and the user shouldn't be bothered with so many prompts since it makes the real prompts less effective. The exact same thing happened to self-signed HTTPS sites and is currently happening to HTTP sites. After granted by default the setting will be removed because metrics tell us the 99% of users don't change that setting (because everyone who does also turns off program metrics) so to keep the interface clean we don't want it displayed.

Re: Not at all

If you read the document more carefully you'd notice that in order to scan for devices the user simply has to click or tap an item on the page. To connect to a discovered device requires accepting a prompt, but scanning for devices is trivial to get a user to initiate. Scanning the environment for Bluetooth devices leaks tons of user and bystander information. This will allow websites to track who and where you are, what devices you own or interact with, and it can track who else is near you to determine who you associate with. It has bad idea written all over it.

Re: Not at all

[Assembler]

I don't understand this literacy laziness. It feels like most of the people here are willfully blind. In the very same section you're referring to, it says: "Google Chrome will prompt user with a device chooser where they can pick one device or simply cancel the request." That's the browser doing that. The website you're on doesn't suddenly now trivially have permission to scan all available devices. It's the browser -- the app you're already trusting with the passwords for all the sites you access -- doing the scan.

Re: Not at all

[Assembler]

I'm sorry, but it sounds like you realize your whole comment is a slippery slope argument, but not that that is a logical fallacy. The permission request is there -- just like there's a request in every browser before for sharing your location -- because it isn't always appropriate to share personal data with untrusted sites.

Re:Not at all

[strikethree]

Chrome prompts the user for which one (or none), and the website can then interact with the selected device.

Yes. yes. yes.

There is never an alternative path through the code that bypasses the prompt. All software engineers are very industrious about removing test code and such. Even better, all software engineers I know use safe languages like Rust so of course, there is never a way to trigger that functionality without prompting the user.

Of course, Google told the NSA to outright fuck off when asked to put in place a code-path that bypasses the prompt. Of course, the NSA employee who works at Google (without Google knowing) would never place such code in without Google management agreeing to it... which they would never do. Of course.

Sorry. In theory, theory and reality match up perfectly. In reality... not so much.

I do appreciate your facts against the uninformed hysteria here; however, the uninformed hysteria is actually the proper response here. This shit is evil and should be purged with prejudice.

Re:Not at all

[Assembler]

You're assuming that the attacker either 1) controls Chrome's sourcecode so fully that they can modify it and nobody else will review the change and/or 2) this new api will introduce a security bug.

#1 is a possibility for every single piece of hardware and software that we interact with. There is nothing that makes Chrome more vulnerable, other than being a higher profile target. That's countered by higher levels of scrutiny from the whitehat community and Google themselves.

#2 applies to any feature that they add. There is nothing special about a Bluetooth API. We're already trusting browsers to handle stuff far more sensitive than this. Chrome is one of the most thoroughly tested, hardened, and sandboxed pieces of software there is. If it's not provided by the browser (which has essentially replaced the OS these days in terms of running 3rd party code) then we have to trust some 3rd party extension to do the device interaction, and to do it with the level of security that Chrome would. Sorry, but I don't see that as any better or likely. Whether it's the Chrome app on a mobile phone, or Chrome on the desktop, this will make working with Bluetooth much easier, while keeping things as safe as can be reasonably expected.

User permission required

_The UA MUST inform the user what capabilities these services give the website before asking which devices to entrust to it. If any services in the list arenâ(TM)t known to the UA, the UA MUST assume they give the site complete control over the device and inform the user of this risk. The UA MUST also allow the user to inspect what sites have access to what devices and revoke these pairings._

https://webbluetoothcg.github.io/web-bluetooth/#security-and-privacy

FUD article. Put your fucking pitchforks down.

Re:... in a private and secure manner

[ls671]

yep, computer-controlled machines that get more and sophisticated every year so the tinfoil get thinner and thinner every year but the price still goes up...

That's cute

That's cute, I don't have any blue tooth devices.

GATT [Generic Attribute Profile - ed]

[frovingslosh]

Thanks msmash (ed), it is nice to have it explained that TT stands for Profile.

It's troubling

Bluetooth is a broad wireless technology allowing web sites now to work through Bluetooth. This is very troubling and how long before someone creates a way to turn on Bluetooth even if you have disabled it in Chrome? If the whole ideal is better tracking, that's even more concerning. But I suspect if Google has done it, the rest of the browsers will follow suit.

Firejail everything!

Firejail everything that google, fb, twitter, msft, apple, Oracle, HP, Adobe touch.

Do it now!

Fool me once...

Why do you folks keep using google products? Seriously, you are all part of the problem.

Re:The Absurdity of Atheism

[ZipK]

The real question is, why is such a wall of text, posted by an AC and with a score of -1, auto-expanded to full view while some real comments are not?

The power of God.

Thieves are going to love this.

[dlingman]

Post ad with bluetooth crap in it.
Filter for the ones who have plenty of expensive toys.
Pillage.
Profit.

Bluetooth keyboards & mice

What risk is this to bluetooth keyboards & mice?

Re:The Absurdity of Atheism

and the rest 'rest' of us want to be able to get the news without the radical neo-marxism virtue signaling woven in..

Misunderstand the technology

[Actually,+I+do+RTFA]

This web protocol uses the GATT protocol. That means that the bluetooth devices must be open-protocolled. Therefore, you don't have to worry about closed sourced apps, someone can always build an osx/windows/linux version.

Re:Misunderstand the technology

[tepples]

Good luck building a program that uses a Cocoa GUI on or for anything other than a Mac.

Re:Misunderstand the technology

[Actually,+I+do+RTFA]

Good luck building a program that uses x86 instructions on an ARM processor. How is that helpful?

I'm specifically saying that the bluetooth devices will not be locked to a specific hardware, even without this js. That's all that matters.

Re:Misunderstand the technology

[tepples]

I'm specifically saying that the bluetooth devices will not be locked to a specific hardware, even without this js. That's all that matters.

That's fine, so long as the services and characteristics sent by the device are publicly documented services, particularly those meeting a publicly documented profile. Otherwise, if neither the application's source code nor the services and characteristics provided by the device are published, each user of an operating system not supported by the device maker will have to reverse-engineer the proprietary services and characteristics provided by the device in order to write an application from scratch that interprets the characteristics that the device is sending.

Re:Misunderstand the technology

[Actually,+I+do+RTFA]

services and characteristics sent by the device are publicly documented services

Well, according to the article, the JS versions can only access those devices meeting a GATT-based specification, not the application specific variants thereof (similar to allowing unicode, but disallowing those blocks reserved for application specific code.)

Now, I suppose a dongle could lie, and it could claim a random protocol and put out encrypted data, but...

Re: chromium off switch

[slashrio]

It seems that Sergey Brin worked for the CIA at Stanford before he spun off Google, so I really don't trust Google at all.
I'd even put more trust in Jesus than in Google, and I'm an atheist...

This is OS responsibility

Why do operating systems allow these things to happen in the first place is beyond me. I need to see access control lists for all applications and all devices. That way I can prevent let's say Chrome from getting anywhere near the bluetooth radio.

What's in your wallet?...

I wonder if this "feature" was already a part and we only know now...

Custom services and characteristics

[tepples]

From the page I linked:

The lowest level concept in GATT transactions is the Characteristic, which encapsulates a single data point
[...]
each service distinguishes itself from other services by means of a unique numeric ID called a UUID, which can be either 16-bit (for officially adopted BLE Services) or 128-bit (for custom services).
[...]
you're free to use the standard characteristics defined by the Bluetooth SIG (which ensures interoperability across and BLE-enabled HW/SW) or define your own custom characteristics which only your peripheral and SW understands.

I was referring to the maker of a GATT peripheral that chooses to create such "custom services" and "custom characteristics" for use only by that device and the proprietary native or web application that accompanies it.

I just re-read the article on El Reg to see if it says anything about disallowing custom (128-bit) services. Turns out it links to Google's page about the Web Bluetooth API, which states that custom services and characteristics are allowed:

If your Bluetooth GATT Service is not on the list of the standardized Bluetooth GATT services though, you may provide either the full Bluetooth UUID or a short 16- or 32-bit form.
[...]
If you use a custom Bluetooth GATT characteristic, you may provide either the full Bluetooth UUID or a short 16- or 32-bit form to service.getCharacteristic.

Re:Custom services and characteristics

[Actually,+I+do+RTFA]

Ah, I was aware of (and have written) custom services. I thought Web Bluetooth forbid access to them. My mistake.

article is misleading

I've (now) used this API to connect to some BT devices from chrome,
and this article is wildly inaccurate.
The API does not provide the ability to sniff out BT devices, nor can the web page connect to a device w/o explicit user action.

specifically, the root API call which begins the chain of device access for the page is navigator.bluetooth.requestDevice(),
which opens a chrome-managed dialog asking the user to choose & connect to a device (or not), and returns just that single device.

of course, there could be bugs in the API implementation which would allow other forms of access,
but that didn't seem to be the thrust of the article.

many folks on this story have commented "why would i want that".
that's like asking why you would want to read email in a web page instead of in a traditional native app.