USB, or Universal Series Bus, is already a technology that has a lot of security problems. Now Google is rushing to put into its increasingly dominant web browser (Chrome) a technology that allows websites to interface with USB devices via Javascript, which has to be one of the worst ideas they’ve ever come up with:
Google has wrapped up coding the desktop version of Chrome 61, and will be rolling it out for Windows, Mac and Linux “over the coming days/weeks”.
Chrome 61 extends the visibility of USB-connected devices to Web apps. First proposed last year, WebUSB was pitched as an easier way to set up USB devices, since (for example) a vendor’s site could use the API to push a config to a newly-connected gadget.
The feature’s focus, Google says, is on specialist devices that don’t have a standard way to advertise their capabilities. Keyboards or mice are easy, but as is explained in the specification, USB-connected educational devices (say, microscopes) or 3D printers aren’t conveniently accessible.
There’s also the vexed question of USB device updates: the Chrome devs explain WebUSB could let manufacturers update a device by getting users to visit the page and give permission to the update [What could possibly go wrong? – Reg].
What could possibly go wrong, indeed! That wasn’t just the reaction of the folks at The Register; it was also the reaction of a commenter at Phoronix, who also wisely said No thanks, Google.
We’ve learned over the past few years that everything connected to the internet tends to be less secure. Therefore, it follows that a device can be made more secure if it’s not connected to the internet. Perhaps we should strive to minimize how many devices can be connected directly to the internet by emphasizing localized control and asking ourselves, “Do we really need internet-controlled light-bulbs?”
This may not be to Google’s advantage, as it won’t be able to obtain as much data from non-internet-connected devices, but it may be to the benefit of the internet at large. Some devices may actually work better and be more useful when connected to the internet, but the majority of the “Internet of Things” probably doesn’t actually need an internet connection, especially if those devices can be controlled locally, either through a physical push of a button or through local networks such as Bluetooth, NFC, Thread, or other P2P mesh networking technologies. The latter could bring much of the same convenience of controlling a smart device from an app, without the downside of allowing someone from the other side of the world to connect to it as well.
Well said. Putting WebUSB in Chrome was a mistake. Then again, using Chrome is a mistake. LGB recommends Firefox instead, or one of its derivatives, like Waterfox or Pale Moon.