0

Assumptions:

  • All web browsers can already talk to HID devices with JavaScript
  • A web browser will not tell the user when some JavaScript code is talking to a HID device
  • WebUSB is a JavaScript library.

Are my assumptions correct here? Or, have I missed something?

I ask this question because WebUSB claims that it will make USB communication safer. But, I have to wonder how safe USB communication can ever be if the user does not know if/when it is happening. My understanding is that right now, a website can talk to a USB device, and the browser does not have to tell the user that this is happening.

WebUSB looks like it will makes things safer because the user will be guided to a safe website, with a safe interface and so on, but it doesn't seem to me as though it solves the gaping problem where a malicious website can hit your USB device without you ever knowing. Am I wrong?

Christian Findlay
  • 6,770
  • 5
  • 51
  • 103

1 Answers1

2
  • Browsers do not normally talk to HID devices directly but instead go through the operating system's input API which abstracts away both the HID and USB layers in order to provide higher-level events such as key-down or mouse-move. There may be some exceptions to this for exotic HID devices such as gamepads. Nevertheless the browser is not using JavaScript for these devices but the native system API.
  • Due to the above the concept of "JavaScript talking to a HID device" does not exist. JavaScript does get to receive these high-level events from HID devices. The browser does not explicitly tell the user that it is receiving them because delivery of the event is entirely under the user control. For example, JavaScript will only receive an event from the user's keyboard if the user has pressed a key while the page is in focus. JavaScript cannot send data to the device, only receive it.
  • WebUSB is not a JavaScript library but an API that is provided by the web browser.

In contrast to the discussion of HID above browsers implementing WebUSB (of which currently there is only Chrome) do notify the user if a page is connected to a USB device. First, there is a permission prompt that gives the user the choice of whether and which device the page can access. Second, there is an indicator on the tab (similar to the one indicating that the page is playing or recording audio) whenever the page has an active connection.

Therefore a malicious website cannot hit your USB device without your knowledge.

Reilly Grant
  • 5,590
  • 1
  • 13
  • 23