Comment by Retr0id
1 day ago
The security implications of not having WebUSB are having to install untrustworthy native drivers every time you want to interface with a USB device.
1 day ago
The security implications of not having WebUSB are having to install untrustworthy native drivers every time you want to interface with a USB device.
On macOS, I think I've installed device drivers exactly once in the last decade, and they were for a weird printer.
macOS allows USB access without installing a driver, so that's probably why. The "driver" is just part of the app.
That’s how most operating systems have worked for over two decades. Most OSes support USB devices that present themselves as HID, mass storage, audio, etc. without any dedicated drivers needed. It’s only specialized devices or functionality that tends to need additional drivers.
2 replies →
Most device drivers nowadays aint necessary to solely get the device working, but to get it working well. All keyboards will work out of the box without any drivers/webusb-pages, but good luck configuring rapid triggers on your Wooting keyboard or a DPI-switching macro on your Logitech mouse without it.
The security implications if this goes mainstream is that you are expected to do this for all kinds of hardware.
Right now that isn't the case and I can't remember last the time I had to uninstall untrustworthy native drivers.
A lot to lose, very little to gain?
I felt that way too, but having used it a few devices as an end user I enjoy being able to close the browser and have the whole stack disappear. Instead of having to install a creepy Logitech tool to pair a mouse with a receiver, as soon as that task is done, goodbye Logitech. I guess a real concern is manufacturers stop offering native drivers, but for the majority of hardware the PnP or the Linux kernel just handle it.
There's a real risk of losing the ability to control your device if the manufacturer stops hosting their propertiary WebUSB app, too.
Standard USB drivers aren't going to disappear from my disk and can be reverse engineered long after its manufacturer has dropped support or gone under.
My mouse uses a WebUSB app to configure stuff. I just downloaded all the files that it uses, and now I can use it offline.
> and can be reverse engineered long after its manufacturer has dropped support or gone under
Nothing really stops you from reverse-engineering a WebUSB app either.
So what is an example use case where you'd prefer to do X without using this particular tech?
The nice thing about USB devices is that they don't need native drivers. Hardware that requires native drivers for USB is pretty rare, at least for many common cases (keyboard, mice, controllers, joysticks, printers, dacs, headsets, cameras, ..), and are easy to avoid.
What product categories exist where all entries only work (over USB) with native drivers?
> What product categories exist where all entries only work (over USB) with native drivers?
All the categories you've listed have products that require a companion application to configure things out of band, that the "universal" driver doesn't understand.
In the case of the four HID you've listed the app would be for configuring key mapping, macros, rgb, firmware updates.
Some webcams need apps to control things not exposed by the native driver (things like head tracking or more specific sensor control).
I'm not familiar with the market but I would imagine that many headsets and DACs nowadays have similar apps to tune EQs presets and the like.
My USB wireless keyboard and mouse work just fine without vendor software, but if I ever lost the dongle and had to re-pair them with a different dongle, I'd need the vendor's software to do it.
My bluetooth headphones work just fine without vendor software, but apparently with an app I can adjust the audio to somehow make me better at playing computer games. I think it amplifies other players' footsteps or something? If I wanted that, I'd need the vendor's software to do it.
My PSU works just fine without vendor software, but includes a USB monitoring interface, which would let me see certain things like fan speeds, voltages and currents. Of course I can monitor most of those with my motherboard's existing sensors; and a dip in the 12v rail will power off the system before any monitoring could respond. But if I did want to use those features, I'd need the vendor's software to do it.
Despite my distrust for vendor software, I have even less trust for webusb. Partly that's because I'm a hater in general, but mostly it's because there are too many holes in the web browser's sandbox already - if things in the sandbox are re-flashing your keyboard firmware you've given up on sandboxing, you just haven't admitted it to yourself yet.
why would you be using untrustworthy hardware to begin with?
everyone has a different threshold at which they would consider something 'untrustworthy'
Curious what your floor is for 'trustworthy', a company with a US headquarters? Personally I feel sketched out by any silicon not made in Sweden or Japan, so, pretty much all of it.
Sounds like something that could have a standalone usb-driver-container or special chromium fork for the 0.00001% of users that need it instead of bloating every browser with yet another niche API and the inevitable security holes it will bring.
People are already doing that in the experimental embedded world, and let me tell you, it's pain. True and utter pain. You're going to fight different versions of libusb's userland being installed, Windows/macOS/Linux kernel occupying the device with a default driver (cough rtl_sdr) and a whole lot of other messes.
Or some things aren't even available made using libusb. Think control applications for RGB lights in keyboard and mice. There's a certain manufacturer all but mandating installation of its slopware. Being able to provide all of this as WebUSB has advantages.
Let me guess, Razer which is known for auto-downloading kernel rootkits as soon you plug in your mouse? They’re basically the Riot Games of gaming peripherals.
Doesn't linux have the drivers already?
That sounds like a Windows problem.
Not really, as long as the firmware developers used OS 2.0 descriptors
(For the rare occurences that our customer is using 7 or earlier, we tell them to use zadig and be done with it.)
I'm not familiar with the Windows platform but although you can have userspace USB drivers on linux, you still need to be able to run code that can talk to the sysfs interface.
The Linux problem is more
Hope every time you want to interface with a USB device.
you do know microsoft OS 2.0 descriptors are a thing, right? or that you can force the unknown device to use WinUSB
but really most devices you want to interface to via webusb are CDC and DFU so.. problem solved?
I'm unfamiliar with the Windows platform but that sounds like something that still requires executing code locally.
Not sure what you mean.
Anyway OS 2.0 descriptors are a custom USB descriptor that basically tells the device to use WinUSB as the driver. The burden then is in the application that will have to implement the read/writes to the endpoints instead of using higher level functions provided by the custom driver.
If you ever developed software with libUSB, using WinUSB on the windows side makes things super easy for cross platform development, and you don't have to go through all the pain to have a signed driver. Win-win in my book.
.. or HID ( https://usevia.app/ , for programmable keyboards)
yes, you can always use some nasty protocol over HID for your devices. But really most of what i do is one or multiple bulk endpoints so i can achieve full bandwidth (downloading firmware, streaming data, ...) OS2.0 made it possible to do it without having to write and sign a driver
You can have userspace drivers for usb devices in Linux
How does the security of userspace drivers compare to having drivers within a sandboxed web environment with access to only the devices you’ve explicitly allowlisted?
It's about the same. People will blindly click allow on a webpage in the same way that they blindly run libusb binaries with `sudo` that they copied from some webpage. Security is possible in all of these scenarios, but always undermined by the users.
2 replies →