Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security IT

Web Bluetooth Opens New Abusive Channels (dailydot.com) 87

An anonymous reader writes: Recently, browsers are starting to ship Web Bluetooth API, soon to become a component of Web of Things. Web Bluetooth will allow to connect local user devices with remote web sites. While offering new development and innovation possibilities, it may also open a number of frightening security and privacy risks such as private data leaks, abuses and complexity. Web Bluetooth as currently defined by W3C may introduce unexpected data leaks such as location, and personally-identifiable data. "There are numerous examples of data processing methods possible of extracting insight previously seemingly hidden," said Steve Hegenderfer, director of Developer Programs at the Bluetooth Special Interest Group. "With Web Bluetooth, core security and privacy responsibility is delegated to the already powerful Web browser. Browsers should consider the types of information made available to websites and act accordingly in designing their data privacy layers." Is pairing kettles with web sites a good idea?
This discussion has been archived. No new comments can be posted.

Web Bluetooth Opens New Abusive Channels

Comments Filter:
  • No more web (Score:5, Insightful)

    by Anonymous Coward on Thursday October 27, 2016 @12:32PM (#53162471)

    The idea and the platform is a joke. The standardization guys must be drunk.

    • by aqui ( 472334 )

      I already run several VMs to support legacy (aka windows) apps on my desktop..

      Sounds like its time to stick the browser in its own locked down VM with only the minimum connectivity it needs to function.

      Vbox VM running Seamless mode (containing a small minimal linux install) is fantastic for this. You can even snapshot and fully lock the sucker down.
      That and with Seamless mode it appears just like an app on the desktop.

      Qubes OS (https://www.qubes-os.org/) is looking more interesting by the minute.

  • by Anonymous Coward
    LUDDITE software is shitty and can't use wireless AppTooth devices correctly! Modern appy app apps using AppTooth via AppApps are appier!

    Apps!
  • Why not? (Score:2, Interesting)

    by nospam007 ( 722110 ) *

    "Is pairing kettles with web sites a good idea?"

    Why not? I remember fondly the first coffeepot camera on the web, even if it 'leaked' the location of the pot and the hands of those serving themselves.

    • by Anonymous Coward

      Why not?

      Because your kettle isn't the only Bluetooth device in your home. There's also speakers, microphones, and dildos which you might want to keep private from every website you browse.

    • Re:Why not? (Score:5, Insightful)

      by Dutch Gun ( 899105 ) on Thursday October 27, 2016 @01:20PM (#53162811)

      Why not? Let's see... Internet of Thing botnets are already in the hands of script-kiddies / hackers... we don't really know who, and they've already demonstrated that they have the ability to negatively impact large portions of the internet. And that was the low hanging fruit. It really feels like we need to slow down a bit and figure out how to harden and secure our infrastructure from bad actors before we start inventing new ways for our devices to be used to attack a very important global resource.

      • by Altrag ( 195300 )

        Pfft what kind of crazy un-'Mercun drizzle you spouting there? Any cost that has to be borne by others, or can be hidden on our next quarterly is a cost we can fully ignore in our quest for innovation and profit! Anything less is communism!

  • by Anonymous Coward on Thursday October 27, 2016 @12:36PM (#53162503)

    Web Bluetooth as currently defined by W3C may introduce unexpected data leaks such as location, and personally-identifiable data

    The leaks aren't unexpected, all new web technologies are being designed that way on purpose. When advertisers make up the standards body [w3.org], this is what we get.

    • by AmiMoJo ( 196126 ) on Thursday October 27, 2016 @12:42PM (#53162529) Homepage Journal

      I don't really see the problem. Web site asks if it can access your Bluetooth device, just like it can already request your location and access to your webcam, and you click "no". Even better, you set the default to "no".

      If the website can override that, you are screwed anyway because it already owns your computer.

      • Re: (Score:2, Troll)

        by sittingnut ( 88521 )

        Even better, you set the default to "no".

        you would. most average users would not change the default. market leadership of M$ applications and windows is proof. most isheep wont either.

        so the real question is whether such people needs to be protected? imo no.

        • by sinij ( 911942 )

          so the real question is whether such people needs to be protected? imo no.

          As experts, we need to make informed decisions with greater public good in mind. Just like doctors and asbestos. The alternative is abnormal behavior gets normalized and security-conscious and privacy-aware choices are removed based on false consensus.

          • Before you make that claim you need to prove that location tracking is somehow incredibly detrimental to the life of people. Presently it seems like little more than a false economy which inadvertently also props up the free internet.

            • Before you make that claim you need to prove that location tracking is somehow incredibly detrimental to the life of people.

              If you were to emerge from your little bubble of safety with eyes open and brain engaged, I think you'd very quickly find plenty of cases in which it could be incredibly detrimental to some people.

              • 36 words and no example.

                And I said "people". Not the average person who is unaffected. If someone is in this situation then they are probably taking precautions, just like I don't go near peanuts, but that doesn't stop me from saying we should abolish peanuts everywhere.

            • by Altrag ( 195300 )

              It would certainly be detrimental if your boss decided to check up on you on your day off and discovered you were at a competitor's office -- kind of suggests you're looking at other employment.

              Or something less drastic: If McDonald's notices you're close to a Burger King and suddenly you get 14 text messages with deals for Big Macs. Perhaps not "incredibly" detrimental but certainly annoying as hell, especially if you happened to just be sitting at a stop light and had no intention of going into Burger K

              • It would certainly be detrimental if your boss decided to check up on you on your day off and discovered you were at a competitor's office -- kind of suggests you're looking at other employment.

                Well yes that would be majorly detrimental to my boss. I on the other hand would benefit greatly from the resulting payout.

                Or something less drastic: If McDonald's notices you're close to a Burger King and suddenly you get 14 text messages with deals for Big Macs.

                And here's a great scenario that is countered by evidence, given how the ability to track your phone location accurately already exists, as does advertising.

                Imagine if the US Govt had the capability of tracking Snowden back in 2013.. or even today.

                I don't need to imagine it. They were tracking him. He was an employee of the NSA. Their problem is they didn't act on anything until after it was too late. They knew exactly where he went and when and didn't think much of it until

                • by Altrag ( 195300 )

                  Well yes that would be majorly detrimental to my boss. I on the other hand would benefit greatly from the resulting payout.

                  Depends how well that interview went. And whether your boss thought you were worth increasing your pay or just lets you go for being disloyal. Most people don't tell their boss that they're looking for new employment until they're already fairly certain they've landed something for a reason.. or unless they're basically just bluffing in order to get a raise.

                  And here's a great scenario that is countered by evidence, given how the ability to track your phone location accurately already exists, as does advertising.

                  Yes, but so far those things aren't linked (unless you explicitly download McDonald's app or something.) I'm talking about a world where your trackin

          • Well if I can't make a better decision than asbestos then I give up!
      • by Anonymous Coward

        Just like it asks you if you want it to play HTML5 audio/video, right?

      • by Altrag ( 195300 )

        The trouble is always the carrot.. well that and poorly designed interfaces.

        Eventually someone will invent something that a significant number of people "must" have. And then your browser will give you a single all-encompassing "allow this site to access your bluetooth devices?"

        And even though all you really wanted was to allow FB to upload images to your bluetooth-enabled digital picture frame, suddenly FB (and all of their apps and partners and whoever else) also has access to your mouse and your gamepad

      • User vigilance has never been a satisfactory solution to any security problem. Why would this be the first?

  • Why, Why? People want their names written with urine on the wall so they invent useless new standards?

    PAN is a perfectly adequate 3Mbps IP transport (actually level 2) between 7 Bluetooth devices and a host. You can run real network there.
  • .... why is it a good idea to come up w/ yet another wireless standard when we have existing ones? Like if my rice cooker needs to connect to the internet, why not just use a legacy 802.11a chipset to let it link up to the internet at slow speeds? Do the things on the internet of things need to be high bandwidth as well, if they are not delivering intensive data, such as video data?

    Also, if Bluetooth needs to be enhanced, why not make it something that allows not just 1:1, but many:many connections?

    • .... why is it a good idea to come up w/ yet another wireless standard when we have existing ones? Like if my rice cooker needs to connect to the internet, why not just use a legacy 802.11a chipset to let it link up to the internet at slow speeds? Do the things on the internet of things need to be high bandwidth as well, if they are not delivering intensive data, such as video data?

      Wait until that rice cooker comes with an always on advertising screen. Won't happen? I can list out the gas stations I refuse to go to for this very reason. It's only a matter of time. Oh you want the one without advertising? Only Bloomingdales carries that, and it's a bit pricey.

      • Oh, I wasn't commenting on the privacy or intrusive aspects of the technology: depending on the 'thing', I happen to believe that an Internet of Things can be good or bad. I was commenting on the idea of extending Bluetooth to connect to the web, as opposed to just leveraging an existing but old technology that has ceded mindshare to more recent versions, like 802.11n or ac. But you are right - if it has an advertising screen, 802.11a won't do

        About IoT itself, I've in the past said it's good for some

        • by c ( 8461 )

          But having it on a kettle or coffee maker or a rice cooker makes no sense.

          On a kettle, no.

          I'd love it on a coffee maker because I actually use the delay brew feature. Give me a clock that adjust for DST and a delay brew that I can sync to my schedule and I'd be kinda happy.

          DST compensation in itself could, IMHO, justify anything with a clock capability to be IoT capable.

          It might be useful on a rice cooker (or anything else that takes a long time) for notifying you when it's done cooking.

          • by jabuzz ( 182671 )

            The *ONLY* clock in my house that I ever have to set is the one on the oven and that is because nobody makes an oven with a LW radio clock. I would have preferred an oven with a timer that if you didn't set the time didn't show anything, but apparently nobody wants one of those. Regardless on Sunday morning I will wake up with all my clocks all showing the right time within the second without me lifting a figure and none of them are connected to the internet (well apart from the computers and tablets and ph

            • by c ( 8461 )

              Anyway I am sure you could use some IoT power socket things and a raspberry Pi to rig what you want up.

              Well, I'd use an ESP 8266 and relay, but my wife would have an easier time with an out-of-the-box experience...

      • You only visit gas stations that DON'T display ads on the pump screens? Do you only drive down roads that don't have billboards on them? Do you shop at stores that play muzak that DOESN'T have commercials between the songs?

        Jeez! I can see people being a LITTLE upset about ads on websites, because it uses up THEIR bandwidth, but I think you're taking the whole "Anti-Advertising" thing a little too far.
        • I do too... not the ones that display ads on their screens. That's harmless, I don't look at them, I look away.

          The ones I avoid are the ones with the supplemental screens and speakers that play at loud volumes advertising their products. A screen I can deal with, a speaker. NOPE. Speakers hijack your ears.

          • by anegg ( 1390659 )

            I even asked the owner of the gas station if he intended to keep the video advertising with the blaring sound going for more than just a test period... and he said he was. So I stopped getting gas there. I'm not sure if it made any difference to his sales, but at least I stopped being assaulted by advertising while gassing up my car.

            The most dystopian aspect of Blade Runner to my eyes and ears was the blaring advertisements. I thought to myself - no one would ever stand for that! Now there are blaring

      • I will never buy a rice cooker with an advertising screen. As long as there is a consumer demand for such products, they shall exist.

        You're going to have to lower the price of an application A LOT before someone will accept an ad-only version. 15 years ago they were trying to sell ad-supported PCs on the cheap. People wouldn't touch them. A rice cooker is a much cheaper product than a PC. There isn't enough wiggle room in price to force people to get an ad-supporting version.

        Now a refrigerator, maybe.

        • I did read a story about such an ad-supported PC, incidentally. IIRC a real PC, but an all-in-one with something like 4MB flash instead of a hard drive ; it booted into some browser thing that got you on the dial up Internet, but not without the company that made that offer as a middleman, and some obscene amount of screen space for advertising.
          People hacked the PC to run something else, but the company went out of business quickly anyway.
          (the story said the BIOS was somehow hardcoded into booting the flash

      • by anegg ( 1390659 )
        And I guess that means that your rice cooker won't *function* unless its Internet connection is working... I mean, of course - the manufacturer might need to update it while it's in the middle of cooking your rice!
  • Why the hell would I want to do this?

    Seriously, what is the use case?

  • Seriously, you thought we weren't going to illegally and unconstitutionally spy on you in your own country?

  • Web Bluetooth will allow to connect local user devices with remote web sites.

    Will also allow sentence not having getted one subject?

  • by Archfeld ( 6757 ) <treboreel@live.com> on Thursday October 27, 2016 @03:17PM (#53163659) Journal

    This may be the time when open source swoops in and saves the day by creating tools which will interfere and ignore certain intrusive 'standards' foisted upon the unsuspecting general public.
    I wonder if a device can be engineered to broadcast an interfering signal along the Bluetooth band and just kill the ability to function.

  • This will integrate seamlessly into the IoT botnet used to take down Dyn the other day!

Like punning, programming is a play on words.

Working...