Slashdot Mirror
Chrome 56 Quietly Added Bluetooth Snitch API (theregister.co.uk)
Richard Chirgwin, writing for The Register: When Google popped out Chrome 56 at the end of January it was keen to remind us it's making the web safer by flagging non-HTTPS sites. But Google made little effort to publicise another feature that's decidedly less friendly to privacy, because it lets websites ask about users' Bluetooth devices and harvest information from them through the browser. That's more a pitch to developers, as is clear in this YouTube video from Pete LePage of the Chrome Developers team. "Until now, the ability to communicate with Bluetooth devices has been possible only for native apps. With Chrome 56, your Web app can communicate with nearby Bluetooth devices in a private and secure manner, using the Web Bluetooth API," Google shares in the video. "The Web Bluetooth API uses the GATT [Generic Attribute Profile - ed] protocol, which enables your app to connect to devices such as light bulbs, toys, heart-rate monitors, LED displays and more, with just a few lines of JavaScript." In other words, the API lets websites ask your browser "what Bluetooth devices can you see," find out what your fridge, and so on, is capable of, and interact with it.
It all depends on permissions and default permissions. It makes sense to have the ability for web apps to interface w/BT devices, and that can't happen unless the app can 'see' BT devices to begin with. Android already has this ability to see all your BT devices, and keep a record of them. It knows what they are, etc.
Like many features, this one has the potential for good use and we as ab use.
"Excuse me, I'm from the computer services group, and your A/C appears to be acting up... It's reporting . Please go to this website and click 'Accept' to all the prompts and we can diagnose it remotely".
Yea, no problem catching idiots with that...
I'll be honest, I just don't get the appeal. What the fuck do my appliances need connectivity for?
Mod me down with all of your hatred and your journey towards the dark side will be complete!
It's been awhile since we've had jesus freaks spamming shit here. It's nostalgic of the time when we actually fought against ignorance. Today we're only 'allowed' to fight ignorance when it isn't islam.
It makes sense to have the ability for web apps to interface w/BT devices
Care to explain how this makes any sense at all? 'Cause right now all I see is the potential for massive security and real-world safety vulnerabilities.
your Web app can communicate with nearby Bluetooth devices in a private and secure manner, using the Web Bluetooth API
Given the fact that even the battery API was abandoned for privacy reasons, I just don't believe it is ever possible to do this securely and privately. This is just an attack vector begging to be exploited.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
Oh, I understand how this can be very good business tool.
One example: Your company produces a device that can be configured using a webbrower. Your BT enabled widget can now be set up and controlled just by going to a web page. No platform specific code required making it cheaper to set up and maintain. The end result is somewhat respectable.
Of course, this opens up a whole bunch of security holes. Your web browser opens up a BT enabled headset to listen in on the microphone. Even better a BT camera... Set your thermostat to an ungodly temperature. The security flaws are self-evident for anyone with half a brain.
If we assume this would only be used for good though, this would be fantastic technology. It needs good security though. Request permission for each device from each domain separately and require an admin password to authorize each and every device.
"That's the way to do it" - Punch
So despite all ad blocking efforts from the user, this API provides a great pathway to do some digital fingerprinting and establish a cross-site identity.
You are aware that Google is an advertising company right? People tend to forget this fact and how it will tend to incentivize them as an organization. Your privacy is really of no concern to them unless it creates a PR problem.