There are lots of RTL-SDR applications, but you have to install them. I used the HTML5 USB API that exists in Chrome (did you know about it?) to build one that you can run straight from your browser, on your computer or your Android phone.
Mozilla's position is to not implement this API due to security and privacy concerns, and I agree with them on that even though I'd really like to use this API too.
Given that it's been available in Chrome for 7 years, if there were any security and privacy concerns we should be able to point to at least one abuse of this API right?
I'd say predicting instances of abuse of this API is tied to usage of the API, not existence of the API. I'd argue it's extremely generous to say we'd see a case of abuse after 10 deployments of this API. Can we point to at least 10 deployments of this API?
[Ed.:] https://github.com/webusb/awesome lists applications using this API. It's 11≈14 depending on how you count. Most of them are pretty fringe, except arguably the 3 update/flash tools and maybe the Android mirror.
I'm not sure I'd expect to have seen a case of abuse here yet.
That doesn't make any sense. The API is available for abuse independently of how many legitimate users there are.
Or are you thinking only about attacks where the attackers have a genuine reason to ask for USB access? Because IMO that is going to pretty rare, and also not very interesting because in those cases the alternative is you download an executable with unlimited permissions.
But in any case it makes no difference. If the API has been available to 75% of users for 7 years, it's downright idiotic to think making it available to 77% of users will make a difference.
- a large part of privacy issues only exist under legitimate use cases
- a comparatively smaller but still relevant part of security issues would involve attacking (e.g. code injection) a legitimate web application (which the user may already trust) as a first step, and progressing from there
- the fact that such few genuine use cases exist makes users much less likely to accept any illegitimate use, since it will be a permission request box that they have never seen before and haven't been desensitized to
Yeah... It's an accident waiting to happen with someone's security key. (Yes, I'm aware chrome tries to protect that one... for now) We really need more intentionality around hardware use. There's many SDR apps already packaged for all systems. Stop trying to juggle chainsaws, please!
The UI also very temptingly looks like all the website can do is use the device for its intended function, because that's how normal users think and how it should work. But most devices were built with an assumption of trust between the driver and hardware, and now suddenly there's a security boundary there. With this there's an untrusted agent interacting with a device that may have vulnerabilities, which can itself then also interact with vulnerabilities the host may have towards USB devices.
It's not that this can't be done, it's that this is changing the rules that existing security is built on.
I would try to make it work with whitelists and/or restricting the functionality to browser add-ons rather than plain websites. Both add extra checkpoints where some security can be added back in, or rather perform this "weakening" of the previous security boundary in a more controlled manner.
What's the difference between a website accessing the USB device, and downloading an app that accesses it? (Apart from the website being more convenient and cross platform.)
To put it another way, why is it ok to trust Arduino.exe but not Arduino.com?
- People have been trained to understand downloading and executing an "Arduino.exe" is potentially dangerous and that they need to check if they trust the source
- most OSes expect a digital signature on "Arduino.exe" these days
- there's a whole ecosystem of protection and antivirus software that attempts to detect malicious use
- depending on your OS, an "Arduino.exe" can't even access USB devices without an additional signed driver and/or further administrative privileges
- a code injection attack against "Arduino.exe" is much harder; unlike "Arduino.com" which can load entirely different on each visit, you need to exploit an (easier to protect) auto-update mechanism. (Depending on the use case, an application can also be just fine without an update mechanism.)
- "Arduino.exe" isn't built on an ecosystem that routinely loads 3rd party code from outside sources
And to repeat, I don't think WebUSB in general is a bad idea. I'm arguing the security model should be more restrictive; that's why I suggested:
> I would try to make it work with whitelists and/or restricting the functionality to browser add-ons rather than plain websites.
The browser add-on ecosystem is IMHO a better framework to build something like WebUSB in, but to be fair I haven't spent thought on a more in-depth evaluation of this. Also note that there's good precedence for whitelist systems, e.g. in WinUSB the USB device itself can already do some signalling. (But that doesn't work for older USB devices and has its own can of worms…)
The extra friction is a feature. People just click through popups that stop them from doing things in existing apps and on the websites. I'm sure I've accidentally allowed something before just because an element was underneath before the popup.
On the other hand, you don't accidentally install an app.
> What's the difference between a website accessing the USB device, and downloading an app that accesses it?
Arguably the browser is far more secure. A hypothetical "Arduino.exe" can access anything, not actually select the USB device the user selected due to a bug.
The browser is far more secure because everything it allows access to is tightly controlled, in most cases by scoping it to the website. Even if you grant persistent camera/microphone access, it remains scoped temporally: you need to have the website opened up.
An USB device fundamentally does not support this security model. Code that can interact with an USB device can put persistent state on it without any checks enforced upon it. That USB device may later interact with other (bug-laden) code on the same system, or even worse, be moved to a different host entirely, with a different OS stack there, and trigger interactions there.
Yes, the browser is far more secure — because it has very few (anti-)features like this. I'm incredibly happy that WebUSB is not particularly commonplace to use. Having secure browsers is more important to me than the convenience of USB access from websites.
The problem isn't the UI, the problem is that like all software, browsers have bugs, and a CVE in this part of the code base could have catastrophic consequences. Chromium and its derivatives are highly reviewed code bases, both by good and bad actors, and there's still a considerable list of CVEs every year.
> The problem isn't the UI, the problem is that like all software, browsers have bugs, and a CVE in this part of the code base could have catastrophic consequences. Chromium and its derivatives are highly reviewed code bases, both by good and bad actors, and there's still a considerable list of CVEs every year.
That is an argument against any feature whatsoever beyond maybe a JS-free links/lynx browser. The worse browser bug is a sandbox escape that can obtain root privileges. This has been done by exploiting many different JS features. USB communication is not more of a hazard than webgl or setTimeout().
> USB communication is not more of a hazard than webgl or setTimeout().
It is though. setTimeout is very limited. WebGL does lots custom allocations which are ripe for exploits (like the native arrays in JS). USB has all that + the scope of every device plugged in which may come with its own issues.
I'm unable to get it to work with my receiver (setRegBuffer failed block=0x600 reg=74, Caused By: RadioError.UsbTransferError: USB write failed value=0x74 index=0x610 status=stall), but I love the idea!
Looking forward to a local webusb+rtlsdr based Flightradar.
If you don't know, it probably isn't; they brand it quite extensively both outside and in the USB manufacturer strings (it appears as "Blog V4" in the device selection window.)
If it is indeed not one of them, I'd be interested in getting one to test on, so I'd like to know where you got it from. Can you email me? My address is trivial to find or figure out knowing my website is https://jacobo.tarrio.org :-)
