Chrome 56 Quietly Added Bluetooth Snitch API

Richard Chirgwin, writing for The Register: When Google popped out Chrome 56 at the end of January it was keen to remind us it's making the web safer by flagging non-HTTPS sites. But Google made little effort to publicise another feature that's decidedly less friendly to privacy, because it lets websites ask about users' Bluetooth devices and harvest information from them through the browser. That's more a pitch to developers, as is clear in this YouTube video from Pete LePage of the Chrome Developers team. "Until now, the ability to communicate with Bluetooth devices has been possible only for native apps. With Chrome 56, your Web app can communicate with nearby Bluetooth devices in a private and secure manner, using the Web Bluetooth API," Google shares in the video. "The Web Bluetooth API uses the GATT [Generic Attribute Profile - ed] protocol, which enables your app to connect to devices such as light bulbs, toys, heart-rate monitors, LED displays and more, with just a few lines of JavaScript." In other words, the API lets websites ask your browser "what Bluetooth devices can you see," find out what your fridge, and so on, is capable of, and interact with it.

chromium?

[Anonymous Coward]

Will this affect Chromium as well?

Re:

[Anonymous Coward]

chrome://flags/
Web Bluetooth
Disable

Re:chromium?

[skids]

One could hope. But these days I don't tend to trust off switches, or indicators, like I used to. Better to figure out if there's a way to block it using a security setting untouchable from chrome's privilege level. I fear that patch will lead into dbus-land rather than a sane SELinux policy.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Prepare for the era of Bluetooth spam 2.0

[fubarrr]

Prepare for the era of Bluetooth spam 2.0. Now, you don't even need to buy spammer hardware from Chinese, just write a website with bt spam script.

Re:

[The-Ixian]

Only if you are a Chrome user...

Re:

[Jeff DeMaagd]

They also said other browsers support same but didn't say anything more specific, such as who and what versions they started supporting it.

Re:

[ArchieBunker]

You know Firefox is going to follow suit as they have become Chrome Junior.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Carewolf]

Do we know at this stage whether this feature requires permission from the user (like going fullscreen)

Going to fullscreen these days do not require permission from the user. Chrome just goes to fullscreen and ask the user afterward. Google wellknowning this a giant security risk have "fixed" this by only allowing https connections to use the fullscreen feature... Because people who wants to do bad things could never get an https certificate.

This will probably be "secured" the same way, as it appears to be Google's goto solution when doing things right is too much bother.

Make it stop!

[goombah99]

Google is the new Microsoft which was the computer equivalent of the Fuller Brush salesman shoving his foot in your door. I hope this is OFF by default.

More evil

[JaredOfEuropa]

So despite all ad blocking efforts from the user, this API provides a great pathway to do some digital fingerprinting and establish a cross-site identity. And if you happen to log in on certain sites that use this, they will be able to establish your real identity on any other site from there on in as well.

Google is doing what advertising companies do

[sjbe]

So despite all ad blocking efforts from the user, this API provides a great pathway to do some digital fingerprinting and establish a cross-site identity.

You are aware that Google is an advertising company right? People tend to forget this fact and how it will tend to incentivize them as an organization. Your privacy is really of no concern to them unless it creates a PR problem.

Re:

[DontBeAMoran]

The solution is simple: do not use anything with bluetooth.

Re:

[omnichad]

It's a W3C draft [github.io] right now.

Re:

[omnichad]

I skimmed and skipped over all but the letters/numbers W3C where it showed they were using their platform but were otherwise unaffiliated. I'd edit my post, but this is Slashdot.

Re:

[lactose99]

Yes so they can sell you evil things, ensure you're only doing evil deeds and make sure you're not moistening yourself with any unauthorized substances.

Re:

[ArchieBunker]

The cookies and advertising scripts have already identified you long ago. Not to mention all the big names selling metrics to each other.

Re:More evil

[Polo]

Actually, it is MUCH more insidious than this.

Look at iBeacon or eddystone or equivalents.

Bluetooth beacons enable fine-grained location tracking, at 1/10 of a second intervals.

Retailers and others can place these in stores, track your location and behavior while walking through their store, and match it with a physical person at the register when paying with a credit card.

Re:More evil

[werewolf1031]

It makes sense to have the ability for web apps to interface w/BT devices

Care to explain how this makes any sense at all? 'Cause right now all I see is the potential for massive security and real-world safety vulnerabilities.

Would you prefer that it be exclusive to an OS?

[tepples]

Would you prefer that only native apps be able to access Bluetooth devices? Then companies will just make the required native app exclusive to the operating system other than the one that your PC runs. For example, one company might be tempted to make a device's corresponding native app exclusive to macOS. Another might be tempted to make its own exclusive to Windows.

Re:Would you prefer that it be exclusive to an OS?

[skids]

Would you prefer that only native apps be able to access Bluetooth devices?

I'd prefer all my "apps" top be applications, personally, with auditable source code that doesn't get automatically "upgraded" under my feet at a schedule of someone else's choosing.

Compiled a Windows app for your Mac lately?

[tepples]

Good luck compiling "auditable source code" that depends on Cocoa for anything other than macOS, particularly if it depends on the parts of Cocoa that GNUstep doesn't replicate. Or vice versa: Good luck compiling a Win32 application and device driver on macOS or Linux. (Wine doesn't run drivers.)

Re:

[omnichad]

By definition (this being a web API), the devices that require this already phone home through whatever app and the remote end of the API can be disabled for your old version anyway. This means Linux support where there would normally be none.

Re:Would you prefer that it be exclusive to an OS?

[Misagon]

Hell Yes, I want only native applications to access my Bluetooth devices: Only the apps that I choose to install and only those which I give permission to access Bluetooth devices directly,

That's two layers of security right there that I don't want to trade away.
Building cross-platform apps is another problem.

Re:

[tepples]

Hell Yes, I want only native applications to access my Bluetooth devices: Only the apps that I choose to install [...] Building cross-platform apps is another problem.

But "another problem" is exactly the problem to which I was referring. Good luck "choos[ing] to install" a .msi on your Mac or the contents of a .dmg on your not-Mac.

Misunderstand the technology

[Actually, I do RTFA]

This web protocol uses the GATT protocol. That means that the bluetooth devices must be open-protocolled. Therefore, you don't have to worry about closed sourced apps, someone can always build an osx/windows/linux version.

Device classes of which an OS is not yet aware

[tepples]

No, I prefer that no software except the Bluetooth driver recognize a device as being Bluetooth. As far as any application can tell, a Bluetooth headset with microphone should be indistinguishable from any other stereo audio output and mono audio input.

That works because your PC's operating system is aware of "stereo audio output" and "mono audio input" as a device class. Are the major PC operating systems aware of, say, "CNC mill" or "3D printer" as a device class yet?

Re:

[omnichad]

I'm not familiar with much else that Bluetooth is useful for, so I suppose there might exist a format where it does not make sense to restrict details to the driver, but I'm having trouble imagining one.

Non-wifi smart things, like a Fitbit would be one. Anything that exists solely to collect data to then be processed by a remote server would qualify.

Re:

[omnichad]

Nobody can figure out how to install the Fitbit app on their PC, but they will go to a web site.

If they had sane defaults—like prompting before discovery of BT devices and the user selecting the device to pair with, only showing the device that was allowed and no blanket ability to discover—then it might not be so bad.

Re:More evil

[DontBeAMoran]

Your data is all they are after.

I wouldn't want to be in Brent Spiner's shoes right now.

It's official.

[werewolf1031]

Google has gone completely bat-shit insane. How on earth did they think this was a good idea, let alone actually go forward and implement such a thing in the release product?

Just mind-boggling.

Re:

[Oswald McWeany]

Oh, I understand how this can be very good business tool.

One example: Your company produces a device that can be configured using a webbrower. Your BT enabled widget can now be set up and controlled just by going to a web page. No platform specific code required making it cheaper to set up and maintain. The end result is somewhat respectable.

Of course, this opens up a whole bunch of security holes. Your web browser opens up a BT enabled headset to listen in on the microphone. Even better a BT camera...

Re:

[tepples]

require an admin password to authorize each and every device.

Getting the user in the habit of entering the admin password that often is a good way to phish admin passwords.

Re:

[Oswald McWeany]

Hopefully they won't have that many BT devices they WANT the web to connect to.

If I'm reading Slashdot and it pops up a window that Slashdot wants to connect to my bedroom video camera* I'm not going to give it permission. The times I want a domain to be able to access a Bluetooth device will be few and far between.

*I don't really have one, just an example

Re:

[omnichad]

They want to replace all native apps with web apps, so they can be involved. They already have your webcam, gamepad, speakers, and microphone. This is just the last important piece for them.

Re:

[Carewolf]

Google has gone completely bat-shit insane. How on earth did they think this was a good idea, let alone actually go forward and implement such a thing in the release product?

Just mind-boggling.

Well it made perfect sense as the follow up to WebUSB and WebMIDI (yes those are real things implemented in Chrome).

Re:

[DontBeAMoran]

Maybe you forgot that Google has been in that market for two years already [wired.com].

Excuse me, I'm from Computer Services

[ausekilis]

"Excuse me, I'm from the computer services group, and your A/C appears to be acting up... It's reporting . Please go to this website and click 'Accept' to all the prompts and we can diagnose it remotely".

Yea, no problem catching idiots with that...

Re:Excuse me, I'm from Computer Services

[Anonymous Coward]

You laugh, but some refrigerators now have a little speaker that will tweet out a high frequency tone/diagnostic code that a phone tech can receive when you call for service.

Re:

[The-Ixian]

Well... that's great an all, but what would be really cool is if we could take out that whole human intervention and get the diagnostic code directly. An Internet connection to your dryer should do the trick...

Re:

[DontBeAMoran]

Ok, I clicked 'Accept' to all the prompts, can you tell me the results of the diagnosis?

Also, is it normal that my fridge is trying to cook my ice cream?

Thank you.

If I'm forced to update

[JustNiz]

This will be the first thing I block.

Connected devices

[grasshoppa]

I'll be honest, I just don't get the appeal. What the fuck do my appliances need connectivity for?

Re:

[Jeff DeMaagd]

I don't either. I don't intend to buy such appliances. They'll be woefully out of date for most of their useful life. They're often insecure as shipped and I doubt a notable number of them will ever get updates.

Re:Connected devices

[sl3xd]

Not intending to buy such appliances is only an option right now.

We don't know if that option will remain open in the future.

Personally, I think it's good to call out the bullshit now before it gains any momentum.

Re:

[Anonymous Coward]

How are the appliances going to join M2M (machine to machine) facebook, if they don't have connectivity? In there they will share funny and not so funny stories of their masters and plot world domination.

Re:

[DontBeAMoran]

Maybe we'd finally learn what happened to all the missing socks, though.

Re:

[Lisias]

IoT . Google wants to control your IoT.

Re:

[Lisias]

Do you see what I mean? [wired.com]

Re:

[sl3xd]

I'm generally in the camp of "If your 2nd factor is an app you're doing it wrong".

2nd factor is pretty worthless if it doesn't require human interaction, otherwise, you get malware working with a keylogger to silently connect over Bluetooth and obtain valid 2nd factor as long as you're within range.

... in a private and secure manner

[Errol backfiring]

your Web app can communicate with nearby Bluetooth devices in a private and secure manner, using the Web Bluetooth API

Given the fact that even the battery API was abandoned for privacy reasons, I just don't believe it is ever possible to do this securely and privately. This is just an attack vector begging to be exploited.

Re:

[drinkypoo]

Given the fact that even the battery API was abandoned for privacy reasons, I just don't believe it is ever possible to do this securely and privately.

Chrome allows filesystem access. You give permission for an app to access a specific location in your filesystem. I don't see why you can't just be asked whether you want to give permission to do Bluetooth things, through the same mechanism.

Re:

[sl3xd]

The difference being that filesystem access is still gated by the OS.

Re:

[gravewax]

All fine and good until the next browser vulnerability. Chrome is one of the better browsers security wise (at least compared to Firefox) but their is still a regular flow of vulnerabilities. Add in stupid users who click yes to anything as they don't understand the implications.

Re:

[DontBeAMoran]

But you can't even trust the tin foil since it's been made with computer-controlled machines.

Re:

[ls671]

yep, computer-controlled machines that get more and sophisticated every year so the tinfoil get thinner and thinner every year but the price still goes up...

180 from "Don't be evil"

[sinij]

This is complete opposite from "Don't be evil". This is outright intrusive and evil.

Re:

[kbonin]

If true, this is a Microsoft level move: "increasing our market share is more important than your security or privacy".

Re:

[DickBreath]

Microsoft did a 360 move from "be evil".

Re:

[sl3xd]

This is complete opposite from "Don't be evil". This is outright intrusive and evil.

Big brother is real... he's just not a government employee, nor does he work for Apple or Microsoft.

When Google does absolutely anything that's pro-user and pro-privacy at the cost of advertiser intrusiveness, I'll re-evaluate that statement.

Re:

[sinij]

Google is a company run by techies. I liked to pretend that we are better than empty BA suits or bozos in marketing, but turns out that this is not the case.

Re:

[sl3xd]

Google was a company run by techies. Techies haven't been making the calls for quite some time now - Google's advertising clients do. Or have you been willfully ignorant of the past decade?

Re:

[ls671]

NOBODY can be trusted when it comes to money.

False, send me 10,000$ and I will prove it to you.

Been there, done that,

[Lisias]

ActiveX.

Good luck with that. We will need it.

Re:

[ls671]

So this should be called ActiveY? Active, why?

Ransomeware Gold

[MAurelius]

How long before the criminals use the Bluetooth connection to turn off various important household systems? When it's -10 degrees F/ -23 C in the upper Midwest of the US and in Canada it is highly inconvenient to get a message to the effect that "Your Carrier Xfinity Furnace has been turned off and locked by us by remotely disabling the furnace control board firmware. To receive the code to unlock it and restore heat in your house, please submit 2 Bitcoin (about US$ 2000) to the following account before you

Re:

[omnichad]

There's already microphone and webcam APIs that are just as useful to criminals - but both require permission.

Re:

[mvdwege]

Rename google-chrome to google-chrome.real. Then create the following shell script and name it google-chrome:

#!/bin/sh

sudo modprobe -r btusb
google-chrome.real
sudo modprobe btusb

Voila, as long as chrome is running, no Bluetooth. And yes, I'm only semi-joking.

Re:

[ls671]

I suggest creating a group for bt access and change the permissions in /dev so only members of that group can access it instead. I already browse the web using a user that has limited permissions.

Re:

[ls671]

I would be very interested to know how to disable the Bluetooth API in the new versions of Chrome/Chromium. (I run both).

Just wrap all your devices in tinfoil and connect to ground, it works well here...

Makes me miss Microsoft Office macros

[lucasnate1]

This reminds of the good old days when you could run code in documents and infect people with them. The only difference is that at least in that case, this was limited only to documents and only from microsoft. Nowadays, since everything is being to pushed to the web, this is much worse.

Re:

[Mike Van Pelt]

You can still run code in documents. It is one of the major vectors for the spread of Locky.

Granted, Microsoft sets macros disabled by default, but all that's necessary is for the document with the Locky downloader to display "Secure Document: You must click "enable content" in order to view it." Two problems: One, Microsoft's "Click this to let any random malefactor ream you with malicious macros" button is given so innocuous a name as "enable content", and two, way, way too many people fall for it. (

I think it's good

[iampiti]

...provided that the user is informed when a website wants to use it and it's strictly opt in. Firefox works this way regarding sharing of location information.
My point is that everything that lessens the dependence on native apps is good because then it's less difficult to change platforms.

Re:

[MatthiasF]

Yes, let's open up web browsers into becoming a huge security and privacy invasion vector so you don't need to use "native apps" because it's "difficult to change platforms".

Meanwhile, any application developer with half a brain should be making their software in a method that is easily ported to the three major platforms.

But no, we should not expect them to do that. Instead, let's just open the browser up to do everything under the sun and hope nothing goes wrong. /s

Re:

[ls671]

... making their software in a method that is easily ported to the three major platforms. ...

Not sure what you mean here: AIX , OS2 and Digital Unix?

Granular permissions

[John Allsup]

Something Android does, or tries to do at least, is to have a granular permissions system for apps. Chrome should do similar for websites, where by default those things capable of causing problems are switched off. For sites that genuinely make good use of Bluetooth (and where the user is happy with this), it should be easy enough to grant permissions. In addition, when it comes to granting permissions, there is the opportunity to add information, and to hide/detect more dangerous choices.

Meet the new boss, same as the old boss.

[PingSpike]

Now that firefox has withered away and IE "edged" its marketshare into the toilet to the benefit of Chrome its time google start flexing its muscle to abuse its dominate position.

Wow.

[SeaFox]

"The Web Bluetooth API uses the GATT [Generic Attribute Profile - ed] protocol, which enables your app to connect to devices such as light bulbs, toys, heart-rate monitors, LED displays and more, with just a few lines of JavaScript."

Forget ransomware. We're one bluetooth-enabled pacemaker away from hostageware.
"Do not step away from your computer, until you complete the following form to send us 4.9 BTC..."

Not at all

[Assembler]

Is this even a tech blog anymore? These assumptions about privacy loss only make sense if you haven't done even the most trivial reading of the spec. The docs are here: https://developers.google.com/... [google.com] A site can request to connect to a bluetooth device. Chrome prompts the user for which one (or none), and the website can then interact with the selected device. I did less than a minute's worth of research. It's even mentioned in the article, but then the article just goes on to assume that the user has granted permission to the page to access every device they have somehow. Maybe I've missed something, but nobody seems to be talking about the actual implementation.

User permission required

[Anonymous Coward]

_The UA MUST inform the user what capabilities these services give the website before asking which devices to entrust to it. If any services in the list arenâ(TM)t known to the UA, the UA MUST assume they give the site complete control over the device and inform the user of this risk. The UA MUST also allow the user to inspect what sites have access to what devices and revoke these pairings._

https://webbluetoothcg.github.io/web-bluetooth/#security-and-privacy

FUD article. Put your fucking pitchforks do

GATT [Generic Attribute Profile - ed]

[frovingslosh]

Thanks msmash (ed), it is nice to have it explained that TT stands for Profile.

Re:

[drinkypoo]

I just got done setting up a heart rate monitor on a machine at a clinic where we use a web based software package on firefox.

Great. So now you have to worry about whether Firefox updates and breaks it.

Re:

[Oswald McWeany]

And Malware reporting fake heart-attacks.

Re:

[JustAnotherOldGuy]

when no man has ever traveled through all time and space.

But I've done both, as has everyone here.

Show me someone who hasn't traveled through time and space and then maybe I'll pay attention.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:The Absurdity of Atheism

[DontBeAMoran]

The real question is, why is such a wall of text, posted by an AC and with a score of -1, auto-expanded to full view while some real comments are not?

Re:The Absurdity of Atheism

[ZipK]

The real question is, why is such a wall of text, posted by an AC and with a score of -1, auto-expanded to full view while some real comments are not?

The power of God.

Re:

[JustAnotherOldGuy]

It's been awhile since we've had jesus freaks spamming shit here. It's nostalgic of the time when we actually fought against ignorance. Today we're only 'allowed' to fight ignorance when it isn't islam.

The funny thing is that this nutter is almost certainly turning people off to his kooky fairy tale rather than making them interested in it.

Re:

[omnichad]

Hey, at least he's not promoting ad-blocking with an unblockable ad.

Re:

[DickBreath]

I don't care how powerful your fridge is. I really don't. So don't be paranoid.

What I care about is what your fridge contains, whether I want to eat / drink it, and whether it is equipped to download the contents to me. My concern is whether the bluetooth would be the slowest part of the connection.

Re:Power

[fyngyrz]

Bluetooth my refrigerator down, and the science projects in it will become more powerful than you can imagine.

Re:

[DontBeAMoran]

We're sorry but your 19-months-old salad is not a "science project". Throw it away already.

Signed,
your roommates.

Re:

[wbr1]

That's a salad? I thought it was Bolognese...hmmm

Re: Power

[qbast]

I thought it as well. But then it growled at me.

Re:

[fahrbot-bot]

You have no _idea_ what my fridge is capable of.

As long as it stays cool under pressure.

(Ha, an HVAC joke on /.)

Re:

[tepples]

I don't see how Bluetooth helps with fingerprinting users if the user has to first click "Allow for https://example.com/ [example.com]".

If you are addressing this from a position of objecting to fingerprinting in general: The easiest way to fingerprint users is to require a Google, Facebook, Twitter, Microsoft, or email account login to read past the abstract. As browsers add anti-fingerprinting measures, watch more sites become "free reg. req."

Re: Advancements

[gweilo8888]

That's not even remotely what this is for. This will be used predominantly for more accurately tracking whom you are (even if you dump your cookies, switch machines etc.) by noting which bluetooth devices are frequently visible from your browsing device, and then pairing that with all the other info they already had on you. This is all about uncloaking the anonymous, and nothing else at all.

Re:

[ls671]

Then somebody has to come up with a tool that fakes all kinds of USB devices at random to fool the trackers...

Re:

[ls671]

err.. damn: BT devices ;-)