Web Bluetooth Opens New Abusive Channels

An anonymous reader writes: Recently, browsers are starting to ship Web Bluetooth API, soon to become a component of Web of Things. Web Bluetooth will allow to connect local user devices with remote web sites. While offering new development and innovation possibilities, it may also open a number of frightening security and privacy risks such as private data leaks, abuses and complexity. Web Bluetooth as currently defined by W3C may introduce unexpected data leaks such as location, and personally-identifiable data. "There are numerous examples of data processing methods possible of extracting insight previously seemingly hidden," said Steve Hegenderfer, director of Developer Programs at the Bluetooth Special Interest Group. "With Web Bluetooth, core security and privacy responsibility is delegated to the already powerful Web browser. Browsers should consider the types of information made available to websites and act accordingly in designing their data privacy layers." Is pairing kettles with web sites a good idea?

No more web

[Anonymous Coward]

The idea and the platform is a joke. The standardization guys must be drunk.

Re:

[aqui]

I already run several VMs to support legacy (aka windows) apps on my desktop..

Sounds like its time to stick the browser in its own locked down VM with only the minimum connectivity it needs to function.

Vbox VM running Seamless mode (containing a small minimal linux install) is fantastic for this. You can even snapshot and fully lock the sucker down.
That and with Seamless mode it appears just like an app on the desktop.

Qubes OS (https://www.qubes-os.org/) is looking more interesting by the minute.

Only apps can app apps!

[Anonymous Coward]

LUDDITE software is shitty and can't use wireless AppTooth devices correctly! Modern appy app apps using AppTooth via AppApps are appier!

Apps!

Re:

[bjwest]

Who are the faggots who WANT this... on the consumer side of things, I mean.

The same IoS (Ineternet of Sheeple) that want their garage door, light bulbs and door locks on the internet because marketing told them they do.

Why not?

[nospam007]

"Is pairing kettles with web sites a good idea?"

Why not? I remember fondly the first coffeepot camera on the web, even if it 'leaked' the location of the pot and the hands of those serving themselves.

Re:

[Anonymous Coward]

Why not?

Because your kettle isn't the only Bluetooth device in your home. There's also speakers, microphones, and dildos which you might want to keep private from every website you browse.

Re:

[arth1]

"I fondly remember [direct object]", not "I remember fondly [direct object]".

English is really starting to lose its elegance,

ITYM "English is starting to really lose its elegance," :p

Anyhow, to lose something, you have to have it in the first place. I would argue that English has a lot going for it, like a huge vocabulary and not being prescriptive, but elegant is not how I would describe it. A language where "I love you" and "I love sausages" only differ in the object can never be elegant.

Re:

[Oswald McWeany]

Actually, I quite like the versatility of the English language, the way one can artistically change word order, and (sometimes) preserve the same meaning.

Re:

[Zontar The Mindless]

Contrast that with Mandarin, where you could have a sentence where carelessly raising, then dropping, the pitch of some word in the middle of the sentence instead of simply dropping it could transform it from something a parent might say to their child into something that could be interpreted as crude, inflammatory sexual slang that would make guys in an American locker room cringe because it's *so* bad.

Not nearly as likely as it might seem. (To my relief, I might add.) For one thing, although each Chinese *character* represents a syllable, Chinese *words* are not necessarily monosyllables. While there are pairs that can be easily confused (e.g. mãi "buy" and mài "sell"), these tend not to be used in isolation for just that reason ("buy" is usually gòumãi, and "sell" is often shòumài). In addition, there's a lot of variation--even amongst Mandarin speakers, some words are spok

Re:

[Zontar The Mindless]

A language where "I love you" and "I love sausages" only differ in the object can never be elegant.

I hate to break this to you, but your example translates word-for-word (correctly) into a whole slew of languages.

Re:Why not?

[Dutch Gun]

Why not? Let's see... Internet of Thing botnets are already in the hands of script-kiddies / hackers... we don't really know who, and they've already demonstrated that they have the ability to negatively impact large portions of the internet. And that was the low hanging fruit. It really feels like we need to slow down a bit and figure out how to harden and secure our infrastructure from bad actors before we start inventing new ways for our devices to be used to attack a very important global resource.

Re:

[Altrag]

Pfft what kind of crazy un-'Mercun drizzle you spouting there? Any cost that has to be borne by others, or can be hidden on our next quarterly is a cost we can fully ignore in our quest for innovation and profit! Anything less is communism!

The foxes own the hen house

[Anonymous Coward]

Web Bluetooth as currently defined by W3C may introduce unexpected data leaks such as location, and personally-identifiable data

The leaks aren't unexpected, all new web technologies are being designed that way on purpose. When advertisers make up the standards body [w3.org], this is what we get.

Re:The foxes own the hen house

[AmiMoJo]

I don't really see the problem. Web site asks if it can access your Bluetooth device, just like it can already request your location and access to your webcam, and you click "no". Even better, you set the default to "no".

If the website can override that, you are screwed anyway because it already owns your computer.

Re:

[sittingnut]

Even better, you set the default to "no".

you would. most average users would not change the default. market leadership of M$ applications and windows is proof. most isheep wont either.

so the real question is whether such people needs to be protected? imo no.

Re:

[sinij]

so the real question is whether such people needs to be protected? imo no.

As experts, we need to make informed decisions with greater public good in mind. Just like doctors and asbestos. The alternative is abnormal behavior gets normalized and security-conscious and privacy-aware choices are removed based on false consensus.

Re:

[thegarbz]

Before you make that claim you need to prove that location tracking is somehow incredibly detrimental to the life of people. Presently it seems like little more than a false economy which inadvertently also props up the free internet.

Re:

[Zontar The Mindless]

Before you make that claim you need to prove that location tracking is somehow incredibly detrimental to the life of people.

If you were to emerge from your little bubble of safety with eyes open and brain engaged, I think you'd very quickly find plenty of cases in which it could be incredibly detrimental to some people.

Re:

[Zontar The Mindless]

Define "normal people".

Re:

[thegarbz]

36 words and no example.

And I said "people". Not the average person who is unaffected. If someone is in this situation then they are probably taking precautions, just like I don't go near peanuts, but that doesn't stop me from saying we should abolish peanuts everywhere.

Re:

[Altrag]

It would certainly be detrimental if your boss decided to check up on you on your day off and discovered you were at a competitor's office -- kind of suggests you're looking at other employment.

Or something less drastic: If McDonald's notices you're close to a Burger King and suddenly you get 14 text messages with deals for Big Macs. Perhaps not "incredibly" detrimental but certainly annoying as hell, especially if you happened to just be sitting at a stop light and had no intention of going into Burger K

Re:

[thegarbz]

It would certainly be detrimental if your boss decided to check up on you on your day off and discovered you were at a competitor's office -- kind of suggests you're looking at other employment.

Well yes that would be majorly detrimental to my boss. I on the other hand would benefit greatly from the resulting payout.

Or something less drastic: If McDonald's notices you're close to a Burger King and suddenly you get 14 text messages with deals for Big Macs.

And here's a great scenario that is countered by evidence, given how the ability to track your phone location accurately already exists, as does advertising.

Imagine if the US Govt had the capability of tracking Snowden back in 2013.. or even today.

I don't need to imagine it. They were tracking him. He was an employee of the NSA. Their problem is they didn't act on anything until after it was too late. They knew exactly where he went and when and didn't think much of it until

Re:

[Altrag]

Well yes that would be majorly detrimental to my boss. I on the other hand would benefit greatly from the resulting payout.

Depends how well that interview went. And whether your boss thought you were worth increasing your pay or just lets you go for being disloyal. Most people don't tell their boss that they're looking for new employment until they're already fairly certain they've landed something for a reason.. or unless they're basically just bluffing in order to get a raise.

And here's a great scenario that is countered by evidence, given how the ability to track your phone location accurately already exists, as does advertising.

Yes, but so far those things aren't linked (unless you explicitly download McDonald's app or something.) I'm talking about a world where your trackin

Re: The foxes own the hen house

[Zero__Kelvin]

Well if I can't make a better decision than asbestos then I give up!

Re:

[Anonymous Coward]

Just like it asks you if you want it to play HTML5 audio/video, right?

Re:

[Altrag]

The trouble is always the carrot.. well that and poorly designed interfaces.

Eventually someone will invent something that a significant number of people "must" have. And then your browser will give you a single all-encompassing "allow this site to access your bluetooth devices?"

And even though all you really wanted was to allow FB to upload images to your bluetooth-enabled digital picture frame, suddenly FB (and all of their apps and partners and whoever else) also has access to your mouse and your gamepad

Re:

[michael_wojcik]

User vigilance has never been a satisfactory solution to any security problem. Why would this be the first?

Re:

[Miamicanes]

Or worse, Facebook will be able to "conveniently" unmute the headphones and raise the volume to make SURE you hear the ad they've embedded on the page.

Why TF?

[I4ko]

Why, Why? People want their names written with urine on the wall so they invent useless new standards?

PAN is a perfectly adequate 3Mbps IP transport (actually level 2) between 7 Bluetooth devices and a host. You can run real network there.

Enhanced bluetooth, and legacy standards

[unixisc]

.... why is it a good idea to come up w/ yet another wireless standard when we have existing ones? Like if my rice cooker needs to connect to the internet, why not just use a legacy 802.11a chipset to let it link up to the internet at slow speeds? Do the things on the internet of things need to be high bandwidth as well, if they are not delivering intensive data, such as video data?

Also, if Bluetooth needs to be enhanced, why not make it something that allows not just 1:1, but many:many connections?

Re:

[Princeofcups]

.... why is it a good idea to come up w/ yet another wireless standard when we have existing ones? Like if my rice cooker needs to connect to the internet, why not just use a legacy 802.11a chipset to let it link up to the internet at slow speeds? Do the things on the internet of things need to be high bandwidth as well, if they are not delivering intensive data, such as video data?

Wait until that rice cooker comes with an always on advertising screen. Won't happen? I can list out the gas stations I refuse to go to for this very reason. It's only a matter of time. Oh you want the one without advertising? Only Bloomingdales carries that, and it's a bit pricey.

Re:

[unixisc]

Oh, I wasn't commenting on the privacy or intrusive aspects of the technology: depending on the 'thing', I happen to believe that an Internet of Things can be good or bad. I was commenting on the idea of extending Bluetooth to connect to the web, as opposed to just leveraging an existing but old technology that has ceded mindshare to more recent versions, like 802.11n or ac. But you are right - if it has an advertising screen, 802.11a won't do

About IoT itself, I've in the past said it's good for some

Re:

[unixisc]

I rent a place that doesn't have a leasing office nearby. A few weeks ago, I accidentally got locked out, and had to call in a locksmith, and pay $250 out of pocket given the type of lock it was. Something like being able to unlock it w/ my cellphone would have been a godsend. The issues you raised just makes security a bigger deal than it currently is w/ just websites, but it's something that has to be considered anyway. And no, my phone is in a wallet case w/ my cards, so just as I'd never forget my

Re:

[brantondaveperson]

A cellphone to unlock your house is a godsend for any hacker who wants to rob your place easily without ever leaving a trace.

If it is implemented even slightly properly, it will be much more secure than a key. Burglars don't bother with the fiddling with the key anyway, they just open things you forgot to lock, or force things that aren't very robust.

Re:

[c]

But having it on a kettle or coffee maker or a rice cooker makes no sense.

On a kettle, no.

I'd love it on a coffee maker because I actually use the delay brew feature. Give me a clock that adjust for DST and a delay brew that I can sync to my schedule and I'd be kinda happy.

DST compensation in itself could, IMHO, justify anything with a clock capability to be IoT capable.

It might be useful on a rice cooker (or anything else that takes a long time) for notifying you when it's done cooking.

Re:

[jabuzz]

The *ONLY* clock in my house that I ever have to set is the one on the oven and that is because nobody makes an oven with a LW radio clock. I would have preferred an oven with a timer that if you didn't set the time didn't show anything, but apparently nobody wants one of those. Regardless on Sunday morning I will wake up with all my clocks all showing the right time within the second without me lifting a figure and none of them are connected to the internet (well apart from the computers and tablets and ph

Re:

[c]

Anyway I am sure you could use some IoT power socket things and a raspberry Pi to rig what you want up.

Well, I'd use an ESP 8266 and relay, but my wife would have an easier time with an out-of-the-box experience...

Re:

[freeze128]

You only visit gas stations that DON'T display ads on the pump screens? Do you only drive down roads that don't have billboards on them? Do you shop at stores that play muzak that DOESN'T have commercials between the songs?

Jeez! I can see people being a LITTLE upset about ads on websites, because it uses up THEIR bandwidth, but I think you're taking the whole "Anti-Advertising" thing a little too far.

Re:

[Oswald McWeany]

I do too... not the ones that display ads on their screens. That's harmless, I don't look at them, I look away.

The ones I avoid are the ones with the supplemental screens and speakers that play at loud volumes advertising their products. A screen I can deal with, a speaker. NOPE. Speakers hijack your ears.

Re:

[anegg]

I even asked the owner of the gas station if he intended to keep the video advertising with the blaring sound going for more than just a test period... and he said he was. So I stopped getting gas there. I'm not sure if it made any difference to his sales, but at least I stopped being assaulted by advertising while gassing up my car.

The most dystopian aspect of Blade Runner to my eyes and ears was the blaring advertisements. I thought to myself - no one would ever stand for that! Now there are blaring

Re:

[Oswald McWeany]

I will never buy a rice cooker with an advertising screen. As long as there is a consumer demand for such products, they shall exist.

You're going to have to lower the price of an application A LOT before someone will accept an ad-only version. 15 years ago they were trying to sell ad-supported PCs on the cheap. People wouldn't touch them. A rice cooker is a much cheaper product than a PC. There isn't enough wiggle room in price to force people to get an ad-supporting version.

Now a refrigerator, maybe.

Re:

[Blaskowicz]

I did read a story about such an ad-supported PC, incidentally. IIRC a real PC, but an all-in-one with something like 4MB flash instead of a hard drive ; it booted into some browser thing that got you on the dial up Internet, but not without the company that made that offer as a middleman, and some obscene amount of screen space for advertising.
People hacked the PC to run something else, but the company went out of business quickly anyway.
(the story said the BIOS was somehow hardcoded into booting the flash

Re:

[anegg]

And I guess that means that your rice cooker won't *function* unless its Internet connection is working... I mean, of course - the manufacturer might need to update it while it's in the middle of cooking your rice!

Re:

[unixisc]

Why not automatically disable internet during cooking?

what? why?

[vel-ex-tech]

Why the hell would I want to do this?

Seriously, what is the use case?

It's a feature, not a Bug

[WillAffleckUW]

Seriously, you thought we weren't going to illegally and unconstitutionally spy on you in your own country?

Doing the doubtful

[edittard]

Web Bluetooth will allow to connect local user devices with remote web sites.

Will also allow sentence not having getted one subject?

FOSS

[Archfeld]

This may be the time when open source swoops in and saves the day by creating tools which will interfere and ignore certain intrusive 'standards' foisted upon the unsuspecting general public.
I wonder if a device can be engineered to broadcast an interfering signal along the Bluetooth band and just kill the ability to function.

Re:

[Archfeld]

I can honestly say that Bluetooth is a mystery to me. I see what you are saying about blocking the transfer at the router level but what about prior to that point ? I have a dual band router from TWC, aka Spectrum, and I've kind of been wondering if things might be connecting to the outward facing network that I have no access to or control over, like IoT devices that might have a corporate deal from the get go with password or access deal worked out at the manufacturer level.

Perfect integration!

[Dan East]

This will integrate seamlessly into the IoT botnet used to take down Dyn the other day!