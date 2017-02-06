Chrome 56 Quietly Added Bluetooth Snitch API (theregister.co.uk) 45
Richard Chirgwin, writing for The Register: When Google popped out Chrome 56 at the end of January it was keen to remind us it's making the web safer by flagging non-HTTPS sites. But Google made little effort to publicise another feature that's decidedly less friendly to privacy, because it lets websites ask about users' Bluetooth devices and harvest information from them through the browser. That's more a pitch to developers, as is clear in this YouTube video from Pete LePage of the Chrome Developers team. "Until now, the ability to communicate with Bluetooth devices has been possible only for native apps. With Chrome 56, your Web app can communicate with nearby Bluetooth devices in a private and secure manner, using the Web Bluetooth API," Google shares in the video. "The Web Bluetooth API uses the GATT [Generic Attribute Profile - ed] protocol, which enables your app to connect to devices such as light bulbs, toys, heart-rate monitors, LED displays and more, with just a few lines of JavaScript." In other words, the API lets websites ask your browser "what Bluetooth devices can you see," find out what your fridge, and so on, is capable of, and interact with it.
Will this affect Chromium as well?
Of course, they're talking about a web bluotooth API not just some binary blob like the voice recognition one.
Prepare for the era of Bluetooth spam 2.0. Now, you don't even need to buy spammer hardware from Chinese, just write a website with bt spam script.
Only if you are a Chrome user...
They also said other browsers support same but didn't say anything more specific, such as who and what versions they started supporting it.
Do we know at this stage whether this feature requires permission from the user (like going fullscreen), or just happens without the user having any control over what's going on (like autoplaying videos)?
If the former, it's going to be hard to spam people, and it kinda makes sense as an API given the move to shift desktop applications to the web. If the latter, I'm uninstalling Chrome and f--- em.
You have no _idea_ what my fridge is capable of.
What I care about is what your fridge contains, whether I want to eat / drink it, and whether it is equipped to download the contents to me. My concern is whether the bluetooth would be the slowest part of the connection.
Bluetooth my refrigerator down, and the science projects in it will become more powerful than you can imagine.
It all depends on permissions and default permissions. It makes sense to have the ability for web apps to interface w/BT devices, and that can't happen unless the app can 'see' BT devices to begin with. Android already has this ability to see all your BT devices, and keep a record of them. It knows what they are, etc.
Like many features, this one has the potential for good use and we as ab use.
It makes sense to have the ability for web apps to interface w/BT devices
Care to explain how this makes any sense at all? 'Cause right now all I see is the potential for massive security and real-world safety vulnerabilities.
So despite all ad blocking efforts from the user, this API provides a great pathway to do some digital fingerprinting and establish a cross-site identity.
You are aware that Google is an advertising company right? People tend to forget this fact and how it will tend to incentivize them as an organization. Your privacy is really of no concern to them unless it creates a PR problem.
Google has gone completely bat-shit insane. How on earth did they think this was a good idea, let alone actually go forward and implement such a thing in the release product?
Just mind-boggling.
Oh, I understand how this can be very good business tool.
One example: Your company produces a device that can be configured using a webbrower. Your BT enabled widget can now be set up and controlled just by going to a web page. No platform specific code required making it cheaper to set up and maintain. The end result is somewhat respectable.
Of course, this opens up a whole bunch of security holes. Your web browser opens up a BT enabled headset to listen in on the microphone. Even better a BT camera...
Yea, no problem catching idiots with that...
This will be the first thing I block.
I just got done setting up a heart rate monitor on a machine at a clinic where we use a web based software package on firefox. The bluetooth stuff is one of the last things requiring a native application. I wonder how much longer we'll need any native software at all with stuff like this coming out.
I just got done setting up a heart rate monitor on a machine at a clinic where we use a web based software package on firefox.
Great. So now you have to worry about whether Firefox updates and breaks it.
And Malware reporting fake heart-attacks.
I'll be honest, I just don't get the appeal. What the fuck do my appliances need connectivity for?
I don't either. I don't intend to buy such appliances. They'll be woefully out of date for most of their useful life. They're often insecure as shipped and I doubt a notable number of them will ever get updates.
your Web app can communicate with nearby Bluetooth devices in a private and secure manner, using the Web Bluetooth API
Given the fact that even the battery API was abandoned for privacy reasons, I just don't believe it is ever possible to do this securely and privately. This is just an attack vector begging to be exploited.
Given the fact that even the battery API was abandoned for privacy reasons, I just don't believe it is ever possible to do this securely and privately.
Chrome allows filesystem access. You give permission for an app to access a specific location in your filesystem. I don't see why you can't just be asked whether you want to give permission to do Bluetooth things, through the same mechanism.
If true, this is a Microsoft level move: "increasing our market share is more important than your security or privacy".
