October 30, 2016
The World Wide Web Consortium’s (W3C) new Web Bluetooth API is riddled with potential security holes which, if left unaddressed during the specification’s drafting, will open the door for user fingerprinting and potentially IoT equipment hacking.
This is the opinion of Lukasz Olejnik, a security and privacy consultant, researcher at University College London, and a W3C Invited Expert, who was recently asked to review the API’s current draft.
The W3C, through the push of IoT vendors, has been working on the W3C Web Bluetooth API as a way to let websites access local Bluetooth-enabled devices in a user’s home, using a PC or smartphone’s browser as a relay point.
The API allows a website to ask for permission to access a local device using a popup, and then relay commands and read device output directly from the device.
Potential privacy problems related to Web Bluetooth API
W3C members considered they addressed all privacy implications by implementing the above-mentioned permissions system. Olejnik begs to differ, and the expert brings up a few issues.
1) Information leaks due to device names. Websites or attackers that can access a Bluetooth-enabled device could determine the owner’s real name. Many people use their real names for naming devices, or in some cases, nicknames.
2) Behavioral monitoring. Websites or attackers could query for specific functions, such as the ability to track heart rate, and other sensitive details.
3) Distance monitoring. Websites or attackers can abuse the API’s rssi or txPower property to track the user’s distance from certain Bluetooth-enabled devices. This would allow a remote attacker to know when a user is at home, at work, or when sleeping.
4) Profiling potential. Websites, attackers, or advertisers could detect a user’s living standards and possible wealth based on the devices he shares.
“I expect that a framework making it easy to test, tamper or penetration testing of Bluetooth/IoT/WoT devices will become reality, sooner or later,” Olejnik writes, referring to a Metasploit-type toolkit.