Chrome 56 Quietly Added Bluetooth Snitch API

Richard Chirgwin, writing for The Register: When Google popped out Chrome 56 at the end of January it was keen to remind us it's making the web safer by flagging non-HTTPS sites. But Google made little effort to publicise another feature that's decidedly less friendly to privacy, because it lets websites ask about users' Bluetooth devices and harvest information from them through the browser. That's more a pitch to developers, as is clear in this YouTube video from Pete LePage of the Chrome Developers team. "Until now, the ability to communicate with Bluetooth devices has been possible only for native apps. With Chrome 56, your Web app can communicate with nearby Bluetooth devices in a private and secure manner, using the Web Bluetooth API," Google shares in the video. "The Web Bluetooth API uses the GATT [Generic Attribute Profile - ed] protocol, which enables your app to connect to devices such as light bulbs, toys, heart-rate monitors, LED displays and more, with just a few lines of JavaScript." In other words, the API lets websites ask your browser "what Bluetooth devices can you see," find out what your fridge, and so on, is capable of, and interact with it.

More evil

[JaredOfEuropa]

So despite all ad blocking efforts from the user, this API provides a great pathway to do some digital fingerprinting and establish a cross-site identity. And if you happen to log in on certain sites that use this, they will be able to establish your real identity on any other site from there on in as well.

Re:More evil

[Polo]

Actually, it is MUCH more insidious than this.

Look at iBeacon or eddystone or equivalents.

Bluetooth beacons enable fine-grained location tracking, at 1/10 of a second intervals.

Retailers and others can place these in stores, track your location and behavior while walking through their store, and match it with a physical person at the register when paying with a credit card.

Re:chromium?

chrome://flags/
Web Bluetooth
Disable

Re:Would you prefer that it be exclusive to an OS?

[skids]

Would you prefer that only native apps be able to access Bluetooth devices?

I'd prefer all my "apps" top be applications, personally, with auditable source code that doesn't get automatically "upgraded" under my feet at a schedule of someone else's choosing.

Re:Would you prefer that it be exclusive to an OS?

[Misagon]

Hell Yes, I want only native applications to access my Bluetooth devices: Only the apps that I choose to install and only those which I give permission to access Bluetooth devices directly,

That's two layers of security right there that I don't want to trade away.
Building cross-platform apps is another problem.

Not at all

[Assembler]

Is this even a tech blog anymore? These assumptions about privacy loss only make sense if you haven't done even the most trivial reading of the spec. The docs are here: https://developers.google.com/... A site can request to connect to a bluetooth device. Chrome prompts the user for which one (or none), and the website can then interact with the selected device. I did less than a minute's worth of research. It's even mentioned in the article, but then the article just goes on to assume that the user has granted permission to the page to access every device they have somehow. Maybe I've missed something, but nobody seems to be talking about the actual implementation.

User permission required

_The UA MUST inform the user what capabilities these services give the website before asking which devices to entrust to it. If any services in the list arenâ(TM)t known to the UA, the UA MUST assume they give the site complete control over the device and inform the user of this risk. The UA MUST also allow the user to inspect what sites have access to what devices and revoke these pairings._

https://webbluetoothcg.github.io/web-bluetooth/#security-and-privacy

FUD article. Put your fucking pitchforks down.