Sign in / up

back to article Websites take control of USB devices: Googlers propose WebUSB API

Two Google engineers have drafted a software interface that allows websites to control USB devices. Reilly Grant and Ken Rockot say their proposed WebUSB API allows hardware developers to configure and control USB devices from webpages, simplifying the process of installing and setting up equipment. "Today when you connect a …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Shadow Systems

    Where to begin?

    1. I want drivers to install locally, not a requirement that I be able to go online to get them. What if the computer the device is connect to is itself unable to get on the web? You know, like that USB Gigabit LAN dongle I want to use to bypass the broken one on the laptop needs to have drivers BEFORE I can get online.

    2. I like to have my anti virus & anti malware programs scan the drivers before I install them, just to make sure nobody has pulled a fast one with a bit of unauthorized jiggery pokery. I can't DO that if the only place to get the driver is online AFTER I've connected the device the drivers are for. How am I supposed to make sure you're not ramming some pile of shit down my computer's throat?

    3. What if I don't WANT the device to be able to phone home, go online, or otherwise communicate with anything other than the computer to which it's attached? If I buy a temperature sensor that allows me to find out what my CPU is currently idling at, I don't want nor need it to go online just to find drivers, talk to some cloudy service, & spaf lord knows what information to whom.

    You may CLAIM the device will only be able to communicate to a specific server & download specific software, but unless *I* say it can go online at all, then how the fek do you propose I get the drivers for it? How about you include them to begin with, & then let US update them later online if WE choose to do so? Better is if we can visit the manufacturer's site, find the device drivers, download a copy, & take it from the online connected machine to the one where the device is located, to apply said driver *offline*.

    Your WebUSB api is a nice concept, it certainly would make it easier for you to make sure the device software is current, but it's an absolute security nightmare for the rest of us. I want control of where, when, & *IF* my devices connect to the internet, and want to make *damn* sure that they're not opening security holes through my defenses that'll send all my data to some scumball.

    Can you ensure my privacy & security? Because if not then I'll not be connecting your device to my computer.

    50 1 Reply
    1. Oengus
      Reply Icon

      Re: Where to begin?

      I hate that when I download an installer (e.g. for a Web Browser or Anti-virus package) I can't take the downloaded software to another PC that isn't connected to the internet to install because it is really just a "stub". I really don't want to have to connect to the Internet to do everything.

      23 0 Reply
    2. Donn Bly
      Reply Icon
      FAIL

      Re: Where to begin?

      Windows update takes the hardware id's and searches a database of compatible drivers, the underlying premise behind this is much the same except that it allows makers of specialized equipment to implement a similar system without relying on Microsoft. You want us to believe that you have never allowed windows update to search for and install a driver for a new piece of equipment, or update an existing driver?

      This technology isn't designed to used on your USB Ethernet dongle, your CPU temperature sensor, or anything like that. Do you think that the manufacturer WANTS to provide servers and bandwidth to push a driver for a device like that every time you reboot? No, of course not.

      This is an attempt to create a web standard API for directly accessing equipment connected via USB, for equipment specifically designed for that purpose, without having to use something like Flash or Java as a layer in-between. I for one WELCOME a secure alternative.

      Real-life example: USB Attached scale & Printer. The ability to have a web/thin client application be able to weigh a package and generate a shipping label WITHOUT having to install specific drivers, without having to have the user click on anything every time it prints, etc. Right now you have to install the drivers, install the stand-alone software, which then has to use a web api to exchange information with the shipping company. This moves the API level so that the software and data can be stored on web server and nothing needs to be installed on the workstation other than a standard, reusable API layer which is restricted by device and destination.

      Is this a solution for everyone and everything? Of course not. Nor is it intended to be.

      Next time learn a little about the technology before you slam it, sometimes there ARE legitimate uses.

      2 22 Reply
      1. Steve Knox
        Reply Icon
        Holmes

        Re: Where to begin?

        Real-life example: USB Attached scale & Printer. The ability to have a web/thin client application be able to weigh a package and generate a shipping label WITHOUT having to install specific drivers, without having to have the user click on anything every time it prints, etc. Right now you have to install the drivers, install the stand-alone software, which then has to use a web api to exchange information with the shipping company. This moves the API level so that the software and data can be stored on web server and nothing needs to be installed on the workstation other than a standard, reusable API layer which is restricted by device and destination.

        Or you could just get an independent scale/printer with its own network attachment. You can still connect your PC to it over the network, but you don't need to waste energy powering your PC to use it.

        There are already PC-independent solutions; don't invent half-dependent solutions and pretend they're better.

        22 0 Reply
        1. Donn Bly
          Reply Icon

          Re: Where to begin?

          Or you could just get an independent scale/printer with its own network attachment. You can still connect your PC to it over the network, but you don't need to waste energy powering your PC to use it.

          There are already PC-independent solutions; don't invent half-dependent solutions and pretend they're better.

          So instead of having a IP with attached peripherals which gets its IP address via DHCP, you would instead prefer the novice PC user to self-install a switch, install and configure two rather expensive pieces of network-enabled equipment with static IP addresses, download and install the drivers and the application software, configure the application software with the static IP addresses, etc. -- and now you have three devices on your network to monitor instead of just one AND you have an application installed on your workstation that isn't part of the company standard.

          -- or --

          you would prefer a stand-alone proprietary solution, and have IT tasked with auditing and keeping this one-off piece of non-standard equipment on their network up to date, secure, and operational.

          -- or --

          The user can use a web-based application, connect to a cheap usb-attached scale and label printer, and IT doesn't have to worry about keeping the application up to date every time there is a change in shipping rates. There aren't any foreign devices on the network, and the only downloaded code is JavaScript that runs in the browser.

          I don't know about your environment, but I would be seriously investigating the third option before discounting it.

          Shadow seems to think this is about drivers and such. It isn't. It is about the ability to use web-based applications in place of native code APPLICATIONS. Think Google Docs vs Word.exe, not video card drivers. Right now any web-based application that needs that kind of functionality has to use security abominations like Flash or Java, or the vendor write some sort of custom protocol driver which will usually only work with some subset of available hardware to accomplish the task. All this API does is create a standard where a manufacturer can "web-enable" their devices and expose a subset securely to a third-party web application that uses the same API.

          Nobody is saying that it is the best technology for every business solution. This is a technology that addresses an existing security hole in an existing niche market, and is extensible to new device classes. It defines a standard that allows for vendor interoperability, reducing lock-in to proprietary architectures. It allows software vendors to have a single, cross-platform application that truly runs the same on Mac, Windows, and Linux out of a single code-base because actual execution takes place on the server and not on the workstation.

          The API is in its early stages, with a draft spec only two months old. It may or may not flourish, but is IS better than the existing methods, or at least aspires to be.

          0 12 Reply
        2. CookieMonster999
          Reply Icon

          Re: Where to begin?

          A company I work for occasionally has literally tens of thousands POS like terminals with usb scanner and printer, so they could finally have a web only software which could drive the scanner and printer and without having to buy new pheriperals.

          1 3 Reply
      2. PNGuinn
        Reply Icon
        Stop

        Re: Where to begin?

        " sometimes there ARE legitimate uses."

        Quite possibly. So what?

        All this needs is ONE illegitimate "use" and .....

        12 0 Reply
        1. Donn Bly
          Reply Icon

          Re: Where to begin?

          The web also has illegitimate uses alone with legitimate ones - by your thinking the entire web should be forbidden and nobody should be able to use it because someone made illegitimate use somewhere along the way?

          I'd swear that none of you have even looked at the spec, or the explainer. If you had and even a basic understanding of it you wouldn't make these kinds of statements.

          1 13 Reply
          1. Adam 52 Silver badge
            Reply Icon

            Re: Where to begin?

            "I'd swear that none of you have even looked at the spec, or the explainer."

            Uninformed knee jerk comment is usual here!

            FWIW I have read the spec. I've never written a USB device driver so its hard to comment but in my simplistic view it's about allowing people to write them using potentially downloaded code in a browser.

            That raises lots of issues around performance, updates (because it is effectively installing what has traditionally been regarded as low-level code), hijack vulnerabilities (it's a good way to jump out of the sandbox) and long-term manufacturer support. As well as the competency of the average Javascript coder not normally overlapping that of a device driver writer.

            4 0 Reply
      3. Shadow Systems
        Reply Icon

        @Donn Bly.

        1. This is not Windows Update, this is an individual device manufacturer not including a driver for a device they produce, instead requireing it be connected to the internet to get one. Updating Windows is doing just that, updating something that's already there. The idea in the article is NOT updating something already present, it's requiring you to go online to install it in the first place. Updating it afterwards would be understandable, but NOT having to go online to get any driver at all. Yes I have used Windows Update to *update* a driver, but not until that driver has *already* been installed on my computer. You can not update a driver that doesn't exist yet, you have to create it before you can update the creation.

        2. No they probably do not want to maintain a server to update said hosted drivers to install "every time I reboot". But that means that the drivers they DO host are held hostage to the fact that you can't GET to them unless you've got the device in question connected to the internet & it's requesting the download. What if their server goes wonky? What if they turn it off or shut it down permanently? Where do you get the drivers then? Because the device won't have any locally to fall back upon, & there won't be any internet archive to browse. At least with a downloadable driver I can keep my own archive copy thereof, I can reinstall it if the software goes titsup, I have to reinstall my OS, or I switch computers, even if their server isn't available. Then they don't HAVE to maintain a full time server to host the files, we'll have already gotten a copy of the driver included with the device when we bought it - perhaps on a driver CD or maybe even on a USB key. Then it doesn't matter if WE have an internet connection nor if THEY remember to pay their provider, we've still got something to install.

        3. I would also welcome a secure solution, but this concept isn't it. Is it connecting via HTTPS? Is it using a 256bit encryption? Does it sign the driver so we can verify it's authenticity? Because if any of those answers is NO then we have nothing. What's to stop a MITM attack from causing what we THINK is a legit driver download from actually being a virus instead? If the device is only allowed to grab a driver by itself, then we have no way of making sure it DOES. If we've been given a local copy of a driver on cd when we bought the product, we can scan it for virus infections before installing it. If we can independantly download a driver from their site, we can have it scanned for virus infections once it's done. If we don't get a file we can scan, then how can we tell what the device is running came from the manufacturer & not some hacker crew in outer Elbonia? Hint: you can't. YOU may be fine with not knowing where the driver came from, verifying it's security, & running arbitrary code, but Security conscious folks are not.

        You might want to try some critical thinking before you try blasting away. Your aim was perfectly fine if you were aiming at your own foot.

        10 2 Reply
        1. Donn Bly
          Reply Icon
          Thumb Down

          Re: @Donn Bly.

          You are operating under a couple of fatal misconceptions.

          1) Windows Update. If you plug a device into your windows computer, and it doesn't have the driver already installed, you know that box that pops up asking if you want to search for a driver? Pay close attention next time and you will see the button that says "check windows update for driver". Windows update is more than updating existing drivers, it is where most of the NEW drivers come from for your "plug and play" devices.

          2) Downloading Drivers. This WebAPI is *not* about downloading device drivers. In fact, there is nothing in the current spec about downloading and installing ANYTHING. You go on and own about companies not including drivers or not being able to download drivers - but this is NOTHING of the sort. I can understand your confusion if you based your argument on the (factually inaccurate) line in the article about websites updating firmware.

          This technology is about allowing manufacturers to expose their devices to web applications in a standard, secure way. Before you accuse someone about lack of critical thinking, you should at least have a basic understanding of the technology you are lambasting. Have you even READ the spec? There was a nice link to it at the beginning of the article. Try reading it, THEN discussing it.

          2 13 Reply
        2. shaunhw
          Reply Icon

          Re: @Donn Bly.

          A driver doesn't have to be present for a device driver for Windows Update to install one from scratch. Windows Update can install a driver for a newly connected device with no existing driver installed, if it has one available. Windows will search for it. But for newly released hardware it is unlike it will have one. For others it might be the ONLY source for one!

          0 0 Reply
    3. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Where to begin?

      Nailed my issues first post out the gate. Thank you. I love the concept. The execution is almost certainly going to suck.

      [My current workstations and servers will not see the internet, ever. Nor will they be importing from/connecting to devices that have connected to the internet. Between criminal gangs (e.g. Ransomeware) and Nation States, I'm already tired of the cross-fire.]

      4 2 Reply
      1. Donn Bly
        Reply Icon

        Re: Where to begin?

        If your current workstations and servers don't have access to the Internet, then they aren't running web applications, and as such would have no need for this technology.

        Of course, if your current workstations don't have access to the Internet, just how are you posting to this forum?

        3 9 Reply
        1. agatum
          Reply Icon

          Re: Where to begin?

          >> Of course, if your current workstations don't have access to the Internet, just how are you posting to this forum?

          Could he possibly have a cell phone or tablet with gsm hardware? Or do you think you need a full blown desktop env to post to elreg? Large server farm surely required to process these hundreds of characters..

          10 0 Reply
        2. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Where to begin?

          >>>If your current workstations and servers don't have access to the Internet, then they aren't running web applications, and as such would have no need for this technology.

          Er, about my internal intranet on my secure site that I use my 3d printer on... You do realise the difference between a network and the internet?

          This computer network stuff is used by a whole lot of different people in a whole lot of different circumstances. Most USB devices exchange data (be it design, text, whatever). Exposing that via the web is not a good idea.

          5 0 Reply
        3. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Where to begin?

          If your current workstations and servers don't have access to the Internet, then they aren't running web applications

          Haven't you heard of running your own web server on your own network? For security we have two networks that are NOT connected, the secure network and the open network.

          2 0 Reply
    4. Mage Silver badge
      Reply Icon

      Re: Where to begin?

      Esp. when the proposed API is proposed by Google, who would no doubt love to know what you are doing with your dongle.

      This is worse than IoT.

      8 0 Reply
    5. TheVogon
      Reply Icon

      Re: Where to begin?

      "1. I want drivers to install locally"

      This - once and it's done. This is a solution without a problem...

      And allowing websites to "control USB devices" sounds like an invitation for new types of viruses and spyware. As Google have a pretty awful security vulnerability record with Android and Chrome, it's hardly reassuring that this comes from them either.

      2 0 Reply
    6. Jagged
      Reply Icon

      Re: Where to begin?

      The only thing I disagree with you here is the line "Your WebUSB api is a nice concept"

      Other than that, big thumbs up! ;)

      2 0 Reply
  2. gollux

    More stuff...

    to help the "Internet of Stuff" help you get stuffed.

    18 0 Reply
  3. taxythingy

    So, hardware with hard-coded web addresses that connects itself to the now-mandatory internet in order to install proprietary drivers and applications, without any significant user interaction or vetting.

    What could possibly go wrong there?

    I'll start: you bought hardware V1.0.

    18 0 Reply
  4. Rol

    You've gotta be joking!!

    So, you rummage around in your IT shed for that gadget you bought back in 2016 and attach it to your PC. All well and good, but then you discover the huge international organisation, the one that has its name proudly emblazoned all over the gadget, has found the cost of hosting a dozen megabytes or so of data, so expensive that the drivers for your gadget are no longer available.

    This happens all the time, and with huge names as well, not just the transient companies that disappear as fast as the holding company created them.

    And, no, the cost of hosting a dozen or so megabytes on their company servers is so close to zero it is for accounting purposes zero. The reason it disappears is because they wish to obsolete it as soon as possible.

    No bundled drivers! No sale!

    13 0 Reply
    1. Shadow Systems
      Reply Icon

      Re: You've gotta be joking!!

      Along those lines, it also means that if their latest & greatest release they've put into their Live server to be pushed to the devices, is itself flawed, buggy, or breaks the device, you have no way of reverting back to an earlier version. While it may not be as whiz bang as the latest & greatest, it probably has the advantage of WORKING. So if you've been using v3 for months & they release v4, but v4 causes it to suddenly stop working (properly|at all), you can uninstall v4, reinstall v3, & get back to work.

      But not if the only way to get the device to work is to connect it to a server that keeps feeding it a version that keeps it broken. They want to render the device useless, they stop providing a version of the driver that works.

      If (as in the example you used) you bought something in $YearX, put it away, & don't get back to it until $YearX+n, then the included drivers may still function, even if you have to resort to a "compatability mode" in the OS to support it. But if you have to download the drivers from a server that no longer exists, you're holding a paperweight.

      And what if the device is later declared illegal? Say the widget raises the ire of the MPAA/RIAA mafia & they get it classified as illegal. Any attempt by your computer to connect to their server to grab the hosted driver is proof that you're using contraband devices in flagrant violation of that law! Those JackBootedThugs kicking in your door are just a curtosy visit from said mafia to instruct you on why they're dragging you away. *Cough* Seriously though, if you live somewhere that declares the device illegal AFTER you bought it, any attempt by you to then USE it may get you declared a target. At least if you have the included local copy of the drivers, you could still use your property long after your government tries to call you a criminal.

      Cynical? Not really. Consider a USB attached digital record player with software that automaticly converts the records to mp3. If you have a local copy of the driver you can use offline, then it doesn't matter what the RIAA might do in the halls of power, they'll never know you're using it unless they break down your door & catch you in the act. But if that device has to connect to a server just to function, and the RIAA is watching that server's log in record, then they have PROOF that you're using "illegal devices & technology" to pirate that record. Why should it go online at all? Ripping your music doesn't *need* the internet unless you instruct the software to check various databases to fill in the tag fields, otherwise you can do that yourself later, offline, anonymously if need be.

      This WebUSB thing is just a FusterCluck waiting to happen. It's a nice theoretical concept, but the moment you actually go to USE it, the security flaws in it's current incarnation become so bleeding fekking obvious that even the BLIND GUY can see them.

      8 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: You've gotta be joking!!

        Not at all far-fetched by the way. I have two programs that just managed to get grandfathered in a court decision as being legal despite the MPAA. "Cold dead fingers" and all that.

        4 1 Reply
    2. Oengus
      Reply Icon
      FAIL

      Re: You've gotta be joking!!

      I have already experienced new products that by the time you install them the URL for the driver has been changed and you have to manually hunt for the drivers/software on the vendor's support page. The drivers are still there it just is impossible to find them because the web designers are too lazy(/incompetent) to leave a redirect on the original URL.

      This issue doesn't only happen with drivers. Embedded support pages/help links often move but that is another topic for discussion...

      11 0 Reply
    3. Dan 55 Silver badge
      Reply Icon

      Re: You've gotta be joking!!

      You discover the huge international organisation, the one that has its name proudly emblazoned all over the gadget, has found the cost of hosting a dozen megabytes or so of data, so expensive that the drivers for your gadget are no longer available.

      You could almost be talking about Revolv.

      This will last until another butterfly flies past Google's window. And as for malware out there getting access to USB devices, that's going to end well too...

      6 0 Reply
    4. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: You've gotta be joking!!

      Don't worry, soon after Google will offer its repository of 'web drivers' so everything connects to it to download them. Another way to slurp more data about users.

      In related news, a lot of people connect unknown USB devices to their PCs...

      7 0 Reply
  5. Flocke Kroes Silver badge

    No source code, no sale

    So, this web interface in going to find out the USB device is attached to a router running openwrt on a MIPS CPU. It determines the correct version of the kernel, applies the required patches and configuration file, modifies the driver code to match the kernel version, downloads a cross compiler and compiles the module for the USB device. It then magically pulls the correct system definition for QEMU, emulates my router in software, tests the driver, fixes some bugs, re-compiles and repeats until the tests pass before sending the driver to my web-browser - except my router does not have a browser. It does not have the X client libraries, so the only browsers it could run would be things like lynx, links and w3m.

    Imagine how much easier it would be if manufacturers documented their hardware, and programmers contributed and maintained an free software driver in the mainline kernel. The driver could then be installed with distribution's standard tools and loaded when required without user intervention. Although there are many thousands of USB devices that already work this way, there are a few that don't. This is easy dealt with: no source code, no sale.

    2 0 Reply
    1. Charles 9
      Reply Icon

      Re: No source code, no sale

      "This is easy dealt with: no source code, no sale."

      So you intend to type blind since graphics are such a competitive market that every manufacturer protects their IP behind patents and will not give away open source drivers for their cutting edge stuff for fear of Giving Information To The Enemy?

      No source code, no sale? When was the last time a graphics company openly gave away driver source code for their latest, greatest products which you need to perform your professional or gaming 3D graphics?

      2 2 Reply
  6. Anonymous Coward
    Anonymous Coward

    Those guys are insane

    or somebody has a plan for some new form of vendor lock-in.

    3 0 Reply
  7. Anonymous Coward
    Anonymous Coward

    Good, something needed to replace Flash for patch of the week club

    This sounds like something that will be infested with security holes galore, good job idiot Googlers!

    How long before the first website using this API is found to be taking over people's webcam and recording them?

    4 1 Reply
  8. Christian Berger

    Makes sense for a browser company to support it

    ... as this makes browsers more complex and therefore lowers the chances of a new browser vendor coming up. This keeps the current oligopoly safe.

    Just imagine there being a FOSS browser which actually does what its users want and doesn't just make the GUI worse with every version. Mozilla would be broke within a couple of years.

    5 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Makes sense for a browser company to support it

      To be fair, Mozilla would be broke already were it not for the lucrative deals it makes with search engines.

      0 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Makes sense for a browser company to support it

        Not that complex...all you need is an "Oh hell no" button.

        2 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Makes sense for a browser company to support it

      Google is also trying to make the browser an OS - just, it will also have all the issues an OS has.

      Let the OS make its job, and let the browser outside it. Otherwise, I can be very scared about something who can run code from outside being able to fully control my OS down to the driver level.... even if Google and others would really like it.

      0 0 Reply
      1. Christian Berger
        Reply Icon

        Re: Makes sense for a browser company to support it

        "Google is also trying to make the browser an OS - just, it will also have all the issues an OS has."

        Well the problem is that browsers are horribly badly designed OSes. That's why browsers are so much more complex than actual operating systems. One might argue that this is because modern OSes follow the Unix philosophy while modern browsers follow the Stroustroup OOP philosophy.

        0 0 Reply
  9. AndrueC Silver badge
    Stop

    This just sounds like a really bad idea. I'm not sure why. It's just 30 years experience of IT is making me nervous at the prospect.

    4 0 Reply
  10. allthecoolshortnamesweretaken

    Another solution looking for a problem - with big security issues as an added bonus!

    1 0 Reply
  11. Zippy's Sausage Factory
    Unhappy

    Because there's no possibility of security holes here

    Reminds me of the VB 5 setup screen*:

    "Deploy ActiveX controls that run on the user's PC - with no interaction".

    Because nothing could ever have gone wrong with that either...

    * Yes, I do go back that far. I'll get me Zimmer frame...

    4 0 Reply
  12. theOtherJT Silver badge
    FAIL

    We need awards...

    ...for this level of stupidity. Guys, it took about 5 seconds from reading the headline to realizing that this was going to be a TERRIBLE idea. How on earth did anyone manage to get from thinking it up to actually telling people about it without clocking at least one of the absolute show stoppers here?

    2 0 Reply
  13. drtune

    What could possibly go wrong?

    As a firmware developer/hacker kinda guy, this is a "spit your coffee over the keyboard" quality idea.

    I did go and RTFA (well, spec) and they pay a lot of lip-service to CORS/security/etc it's still a pretty out-there idea.

    There are actually few things in this world _less_ robust and securely programmed than your average USB peripheral - not only that but by definition a lot of them are in control of real physical things. USB peripheral firmware is totally the wild west... Ask any Linux developer trying to support something with Windows-only drivers - the first step is to basically run it under windows and reverse-engineer the device protocol to figure out how the hell the vendor set it up - but there is literally no telling what the device actually supports without reading and disassembling its firmware. USB devices are the blackest of black boxes, and there's millions of them, all with different firmware..

    BRICKING ISSUE

    Primarily, most USB devices are _exceedingly_ brickable; because most peripherals are flash-based MCUs, and most of them have some sort of firmware update procedure, and only very rarely does anyone even use the USB "DFU" standard; rather often, firmware updates are via what would (in any other system) be called hidden backdoors; e.g. HID command endpoints, hidden command messages, etc. Bulk endpoints with a "manufacturer specific" USB descriptor..

    ..There's very rarely a oh-shit-you-loaded-bad-firmware recovery mechanism either.

    Even current USB devices that don't nominally require drivers (e.g. CDC, HID, Mass storage, etc) VERY often have these sorts of hidden backdoor things going on (for reflashing, debug, diagnostics, etc) because that's the way things have evolved for the last 20 years or so...

    I think it's an interesting idea and (as a long time firmware developer including many USB peripherals) I mean that in an "oh wow the possibilities for shit going very badly are.. really interesting". I can think of a huge number of ways to turn previously useful peripherals into doorstops, and that's barely scratching the service of the issue. Yes.. but... WOAH THERE NELLY!

    Letting the browser talk raw USB packets would be kinda like having an unpatched Windows 95 machine with every service turned on and all ports exposed to the internet.

    3 0 Reply
  14. Unicornpiss
    Meh

    Malware writers should love it!

    There was just another article about how people will pick up a flash drive they found in a parking lot and indiscriminately plug it in. This opens up whole new avenues for simplifying attacks.

    And is it really that hard for even the slightly savvy to go to a website, download a driver, and install it? Or download it, drag it to removable media, and install it on another PC if needed?

    3 0 Reply
    1. Charles 9
      Reply Icon

      Re: Malware writers should love it!

      "And is it really that hard for even the slightly savvy to go to a website, download a driver, and install it? Or download it, drag it to removable media, and install it on another PC if needed?"

      And if the answer is "Yes"?

      0 0 Reply
  15. Eddy Ito

    Lovely. Google's cloud print extended to everyone and everything. But don't worry, that new industrial welding robot can only connect to the "Allowed Origins" web addresses so it will be impossible for the cloud-chain-of-trust to be broken. After all, hijacked websites are a thing of the past, right?

    Just what we need SCADA comes home via USB and the supervisory access is in the wind cloud. It's a pity "the cloud" is really just someone else's computer but I suppose it's inevitable as so many people have grown up with personal responsibility removed by things like iPhones which do little more than make the difficult parts someone else's problem.

    2 0 Reply
  16. captain veg Silver badge

    Andreessen was wrong

    Now you don't even need Windows to act as a poorly-debugged device driver layer.

    -A.

    0 0 Reply
  17. shaunhw

    Dont's get too enthusiastic

    Like most things developed like this, UEFI for example, I bet it'll be a complete fiasco.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like