WebUSB - An unexpected update...

In January at my new(ish) user group Momentum Meetups, I presented on "Reaching out beyond the Chrome" (although suffering from food poisoning so I was definitely going green at points!). It included WebUSB and WebBluetooth. I was excited by how powerful it was and even had a colleague present something we had been prototyping in out work place.

During the talk I mentioned security and how it had been designed so it only works on https and there's a permission model where you have to approve the device before it can be used.

Unfortunately this week it came to light that Authentication devices could be bypassed via USB. These devices are a great way of proving you are who you say you are on the web beyond basic 2FA text's or applications. So being able to be able to bypass them via WebUSB is a big deal :(

My Original Security Slide
A few days later Google then disabled WebUSB by default effectively killing it off until such a time where its made secure.

I'm now worried about the future of WebUSB as it's taken years to really gain adoption and it's never had cross-browser support. So my advice for now is to not consider using it and hopefully something else will come out or it will become more secure.

I really liked the prospect of WebUSB and the prototype my colleague and I made for our work was super powerful and opened up a new avenue for interactions but security has to be paramount over convenience. The particular attack vector feels limited to certain types of phishing attacks but security has to take priority.

[Update 12/03/2018] As expected the Chromium team have got a patch for this by baking in a blacklist that can be updated via the team. This has been pushed out via Chrome 65. It feels like a necessary change but the risk is still present for new devices.




Comments

Popular posts from this blog

Can you use BuildRoot with Windows Subsystem for Linux......

DotNet CLI , private NuGet feeds and Linux...