Chrome 56 Quietly Added Bluetooth Snitch API

Richard Chirgwin, writing for The Register: When Google popped out Chrome 56 at the end of January it was keen to remind us it's making the web safer by flagging non-HTTPS sites. But Google made little effort to publicise another feature that's decidedly less friendly to privacy, because it lets websites ask about users' Bluetooth devices and harvest information from them through the browser. That's more a pitch to developers, as is clear in this YouTube video from Pete LePage of the Chrome Developers team. "Until now, the ability to communicate with Bluetooth devices has been possible only for native apps. With Chrome 56, your Web app can communicate with nearby Bluetooth devices in a private and secure manner, using the Web Bluetooth API," Google shares in the video. "The Web Bluetooth API uses the GATT [Generic Attribute Profile - ed] protocol, which enables your app to connect to devices such as light bulbs, toys, heart-rate monitors, LED displays and more, with just a few lines of JavaScript." In other words, the API lets websites ask your browser "what Bluetooth devices can you see," find out what your fridge, and so on, is capable of, and interact with it.

chromium?

Will this affect Chromium as well?

Re:chromium?

chrome://flags/
Web Bluetooth
Disable

Re:chromium?

[skids]

One could hope. But these days I don't tend to trust off switches, or indicators, like I used to. Better to figure out if there's a way to block it using a security setting untouchable from chrome's privilege level. I fear that patch will lead into dbus-land rather than a sane SELinux policy.

Re:chromium?

[hairyfeet]

Yeah we've seen how well switches work with Windows 10 which still phones home to spam your data no matter how many switches you flip.

As for TFA? Can we all accept that "Don't Be Evil" was nothing but marketing bullshit, no different than "Where Do You Want To Go Today?" or "Think Different" and had the same amount of effect on corporate policy as the other two catch phrases, IE none? As someone who was a big fan of Google (still remember how giddy I was when I got invited to the Gmail alpha) sadly it looks like my theory was right, that all corps simply become evil when they reach a certain size. Its like there is this threshhold, this line in the sand where before they reach that line they are just another company but once they reach a certain level of entrenchment and profitability? They go from coming up with cool new ideas and products to figuring out how to fuck competition with lobbying and doing any move to maximize profits no matter how sleazy and underhanded.

Its a fucking shame as Google used to be this cool think tank filled with super smart uber nerds that just threw cool new ideas at the wall and see what stuck, now they are just as douchey as MSFT and Apple, just another corp happy to assfuck their customers if it nets them another couple percentage points in profits they can show on the quarterly earnings report.

Prepare for the era of Bluetooth spam 2.0

[fubarrr]

Prepare for the era of Bluetooth spam 2.0. Now, you don't even need to buy spammer hardware from Chinese, just write a website with bt spam script.

Re:Prepare for the era of Bluetooth spam 2.0

[The-Ixian]

Only if you are a Chrome user...

More evil

[JaredOfEuropa]

So despite all ad blocking efforts from the user, this API provides a great pathway to do some digital fingerprinting and establish a cross-site identity. And if you happen to log in on certain sites that use this, they will be able to establish your real identity on any other site from there on in as well.

Re:More evil

[werewolf1031]

It makes sense to have the ability for web apps to interface w/BT devices

Care to explain how this makes any sense at all? 'Cause right now all I see is the potential for massive security and real-world safety vulnerabilities.

Re:More evil

[DontBeAMoran]

Your data is all they are after.

I wouldn't want to be in Brent Spiner's shoes right now.

Re:More evil

[Polo]

Actually, it is MUCH more insidious than this.

Look at iBeacon or eddystone or equivalents.

Bluetooth beacons enable fine-grained location tracking, at 1/10 of a second intervals.

Retailers and others can place these in stores, track your location and behavior while walking through their store, and match it with a physical person at the register when paying with a credit card.

It's official.

[werewolf1031]

Google has gone completely bat-shit insane. How on earth did they think this was a good idea, let alone actually go forward and implement such a thing in the release product?

Just mind-boggling.

Excuse me, I'm from Computer Services

[ausekilis]

"Excuse me, I'm from the computer services group, and your A/C appears to be acting up... It's reporting . Please go to this website and click 'Accept' to all the prompts and we can diagnose it remotely".

Yea, no problem catching idiots with that...

Re:Excuse me, I'm from Computer Services

You laugh, but some refrigerators now have a little speaker that will tweet out a high frequency tone/diagnostic code that a phone tech can receive when you call for service.

Connected devices

[grasshoppa]

I'll be honest, I just don't get the appeal. What the fuck do my appliances need connectivity for?

Re:Connected devices

How are the appliances going to join M2M (machine to machine) facebook, if they don't have connectivity? In there they will share funny and not so funny stories of their masters and plot world domination.

Re:Connected devices

[sl3xd]

Not intending to buy such appliances is only an option right now.

We don't know if that option will remain open in the future.

Personally, I think it's good to call out the bullshit now before it gains any momentum.

... in a private and secure manner

[Errol+backfiring]

your Web app can communicate with nearby Bluetooth devices in a private and secure manner, using the Web Bluetooth API

Given the fact that even the battery API was abandoned for privacy reasons, I just don't believe it is ever possible to do this securely and privately. This is just an attack vector begging to be exploited.

180 from "Don't be evil"

[sinij]

This is complete opposite from "Don't be evil". This is outright intrusive and evil.

Re:180 from "Don't be evil"

[DickBreath]

Microsoft did a 360 move from "be evil".

Re:Power

[fyngyrz]

Bluetooth my refrigerator down, and the science projects in it will become more powerful than you can imagine.

Re:Wheres firefox support?

[Oswald+McWeany]

And Malware reporting fake heart-attacks.

Google is doing what advertising companies do

[sjbe]

So despite all ad blocking efforts from the user, this API provides a great pathway to do some digital fingerprinting and establish a cross-site identity.

You are aware that Google is an advertising company right? People tend to forget this fact and how it will tend to incentivize them as an organization. Your privacy is really of no concern to them unless it creates a PR problem.

Ransomeware Gold

[MAurelius]

How long before the criminals use the Bluetooth connection to turn off various important household systems? When it's -10 degrees F/ -23 C in the upper Midwest of the US and in Canada it is highly inconvenient to get a message to the effect that "Your Carrier Xfinity Furnace has been turned off and locked by us by remotely disabling the furnace control board firmware. To receive the code to unlock it and restore heat in your house, please submit 2 Bitcoin (about US$ 2000) to the following account before your pipes and your family freeze. And by the way, we also opened your garage door for your convenience and more rapid cooling." I would be very interested to know how to disable the Bluetooth API in the new versions of Chrome/Chromium. (I run both).

Re:The Absurdity of Atheism

[DontBeAMoran]

The real question is, why is such a wall of text, posted by an AC and with a score of -1, auto-expanded to full view while some real comments are not?

Makes me miss Microsoft Office macros

[lucasnate1]

This reminds of the good old days when you could run code in documents and infect people with them. The only difference is that at least in that case, this was limited only to documents and only from microsoft. Nowadays, since everything is being to pushed to the web, this is much worse.

Re:Makes me miss Microsoft Office macros

[Mike+Van+Pelt]

You can still run code in documents. It is one of the major vectors for the spread of Locky.

Granted, Microsoft sets macros disabled by default, but all that's necessary is for the document with the Locky downloader to display "Secure Document: You must click "enable content" in order to view it." Two problems: One, Microsoft's "Click this to let any random malefactor ream you with malicious macros" button is given so innocuous a name as "enable content", and two, way, way too many people fall for it. (See how often the Locky folks succeed at this tactic.)

I think it's good

[iampiti]

...provided that the user is informed when a website wants to use it and it's strictly opt in. Firefox works this way regarding sharing of location information.
My point is that everything that lessens the dependence on native apps is good because then it's less difficult to change platforms.

Re:Power

[DontBeAMoran]

We're sorry but your 19-months-old salad is not a "science project". Throw it away already.

Signed,
your roommates.

Re:Would you prefer that it be exclusive to an OS?

[skids]

Would you prefer that only native apps be able to access Bluetooth devices?

I'd prefer all my "apps" top be applications, personally, with auditable source code that doesn't get automatically "upgraded" under my feet at a schedule of someone else's choosing.

Re:Would you prefer that it be exclusive to an OS?

[Misagon]

Hell Yes, I want only native applications to access my Bluetooth devices: Only the apps that I choose to install and only those which I give permission to access Bluetooth devices directly,

That's two layers of security right there that I don't want to trade away.
Building cross-platform apps is another problem.

Re:The Absurdity of Atheism

[JustAnotherOldGuy]

when no man has ever traveled through all time and space.

But I've done both, as has everyone here.

Show me someone who hasn't traveled through time and space and then maybe I'll pay attention.

Device classes of which an OS is not yet aware

[tepples]

No, I prefer that no software except the Bluetooth driver recognize a device as being Bluetooth. As far as any application can tell, a Bluetooth headset with microphone should be indistinguishable from any other stereo audio output and mono audio input.

That works because your PC's operating system is aware of "stereo audio output" and "mono audio input" as a device class. Are the major PC operating systems aware of, say, "CNC mill" or "3D printer" as a device class yet?

Re:Power

[fahrbot-bot]

You have no _idea_ what my fridge is capable of.

As long as it stays cool under pressure.

(Ha, an HVAC joke on /.)

Re:Would you prefer that it be exclusive to an OS?

[omnichad]

By definition (this being a web API), the devices that require this already phone home through whatever app and the remote end of the API can be disabled for your old version anyway. This means Linux support where there would normally be none.

Wow.

[SeaFox]

"The Web Bluetooth API uses the GATT [Generic Attribute Profile - ed] protocol, which enables your app to connect to devices such as light bulbs, toys, heart-rate monitors, LED displays and more, with just a few lines of JavaScript."

Forget ransomware. We're one bluetooth-enabled pacemaker away from hostageware.
"Do not step away from your computer, until you complete the following form to send us 4.9 BTC..."

Not at all

[Assembler]

Is this even a tech blog anymore? These assumptions about privacy loss only make sense if you haven't done even the most trivial reading of the spec. The docs are here: https://developers.google.com/... A site can request to connect to a bluetooth device. Chrome prompts the user for which one (or none), and the website can then interact with the selected device. I did less than a minute's worth of research. It's even mentioned in the article, but then the article just goes on to assume that the user has granted permission to the page to access every device they have somehow. Maybe I've missed something, but nobody seems to be talking about the actual implementation.

User permission required

_The UA MUST inform the user what capabilities these services give the website before asking which devices to entrust to it. If any services in the list arenâ(TM)t known to the UA, the UA MUST assume they give the site complete control over the device and inform the user of this risk. The UA MUST also allow the user to inspect what sites have access to what devices and revoke these pairings._

https://webbluetoothcg.github.io/web-bluetooth/#security-and-privacy

FUD article. Put your fucking pitchforks down.

Re:The Absurdity of Atheism

[ZipK]

The real question is, why is such a wall of text, posted by an AC and with a score of -1, auto-expanded to full view while some real comments are not?

The power of God.

Misunderstand the technology

[Actually,+I+do+RTFA]

This web protocol uses the GATT protocol. That means that the bluetooth devices must be open-protocolled. Therefore, you don't have to worry about closed sourced apps, someone can always build an osx/windows/linux version.