Security restrictions on web<->device communication from Jeffrey Yasskin on 2015-03-18 (public-web-bluetooth@w3.org from March 2015)

From: Jeffrey Yasskin <jyasskin@google.com>
Date: Wed, 18 Mar 2015 09:59:50 -0700
To: public-web-bluetooth <public-web-bluetooth@w3.org>
Message-ID: <CANh-dXk=b_vYum4hQq9Ld7+_bKqfJ5CQXNqAzB7vBPa4j4fBHw@mail.gmail.com>

Hi Web Bluetooth folks,

Some Google folks have been talking about the security risks of exposing
devices to the Web when those devices weren't designed to be secure in the
face of that access. We'd like your input in figuring out how best to
mitigate those risks, especially by answering the questions at the bottom
of this email.

An example vulnerable device comes from the FIDO specifications:
https://fidoalliance.org/specifications. In particular, a web application
that gets paired with a FIDO device can sign a challenge presented by a
different origin, breaking the FIDO security model. The UI needed to phish
a user in this way appears to be simple.

To mitigate this risk, I've put together a draft GATT service at
https://docs.google.com/document/d/1T6hLoLvOzNrcMrbtUxAO8yF8zskHiqKfEIPxJNYvfvg/edit
to let devices control their interactions with websites, in a way that
resembles both CORS <http://www.w3.org/TR/cors/> and postMessage's origin
attribution
<https://html.spec.whatwg.org/multipage/comms.html#security-postmsg>. Feel
free to comment on that document.

Once that service is standardized, if a device implements it, we're home
clear. The open question is what to do about devices that don't define the
new service.

We'd like to get some feedback from this list before deciding what to do.

- Can the Bluetooth experts here think of other devices for which
general web access would be a security problem? Can you put us in touch
with any other Bluetooth security experts who would have good input?
- If browsers were to require devices to expose a particular service
before letting websites talk to the device, what proportion of existing
devices would be able to accept a firmware update to expose that service?
- If browsers were to require a device's PnP_ID
<https://developer.bluetooth.org/gatt/characteristics/Pages/CharacteristicViewer.aspx?u=org.bluetooth.characteristic.pnp_id.xml>
to appear on a whitelist before we'd grant access, do any of you have a
feeling for how difficult that whitelist would be to maintain? I see about
500 vendors granted IDs through the Bluetooth SIG, and we'd probably want
each of them to provide a URL we could fetch to get their piece of the
whitelist.
- If browsers were to require a service's UUID to appear on a whitelist
before we'd grant access, can you think of any safe way to include UUIDs
that aren't standardized? In particular I'm worried about attackers
whitelisting their victims' UUIDs. Is it safe enough to let any registered
vendor whitelist any UUID?
- If browsers allow access by default, and a device is found to be
vulnerable to an attack, what's the best way to blacklist it? I hear that
the Device Information service may not distinguish different devices using
the same controller.

Thanks for any help,
Jeffrey

Received on Wednesday, 18 March 2015 17:00:38 UTC