Researcher Warns On Privacy Risks Of Web Bluetooth Spec

Upcoming API aims to let websites access your kettle, smartphone and heart rate monitor

An upcoming Bluetooth specification that gives web-based applications direct access to personal devices could turn into a privacy and security time-bomb, according to a researcher.

The specification allows users to pair devices with a web-based application, meaning the software can be used to access data from and control Bluetooth devices such as smartphones, toasters, televisions, kettles, thermostats and heart rate monitors.

Remote access

security and privacy

But since the code for web applications is by definition hosted on a remote web server, that means network-based attackers could potentially access those devices as well, something most users are unlikely to understand, said Lukasz Olejnik, an independent computer privacy and security researcher based in London.

“Can we realistically assume that average users will be able to understand the qualitative difference between pairing two local devices and pairing a local device with a remote web server?” he said in a blog post.

Olejnik made the comments after being invited to inspect the Web Bluetooth API specification currently being finalised by the World Wide Web Consortium (W3C), which recently released its latest group report on the scheme.

The API poses the same risks as two innovations that have already proven prone to abuse, cloud computing and the “Internet of Things”, but the data involved in this case is even more personal, Olejnik said.

Insufficient security

The W3C is instituting safeguards, such as restricting access to HTTPS connections and instituting a permissions framework, but such features aren’t sufficient, according to Olejnik.

“Just introducing permissions is not addressing all of the security and privacy issues when an API is sensitive,” he wrote.

One of the API’s properties, which records the signal strength of a linked device, could allow sites to track a user’s distance from a device, and thus their physical position, in real time.

“The more devices, the more precise readout is achievable,” wrote Olejnik. “So, web sites will be able to monitor user movement at home, or beyond. This particular feature is not exactly advertised at the moment.”

He said the property, called rssi, and a similar one called txPower, could be removed from the specification, since there are currently “no viable use cases” for either.

Device identifiers

Other personal data could be obtained by accessing the types and models of an individual’s devices and devices identifiers, which may include the user’s own name.

Olejnik also warned of the potential for cross-site attacks in cases where a user grants access to one site and then to another site.

The W3C’s Draft Community Group Report released last month acknowledges the security risks posed by the specification, noting that it could make Bluetooth devices easier to attack en masse.

“In the past, these devices had to be exploited one-by-one, but this API makes it plausible to conduct large-scale attacks,” the report states.

A feature allowing websites to retain pairing after a page reload worsens such risks, according to the report.

“Instead of having to get the user to grant access while the site is compromised, the attacker can take advantage of previously-granted devices if the user simply visits while the site is compromised,” it said.

The report noted that the specification includes protections to make such attacks more difficult, such as requiring a user action, like a gesture or button click, before a device can be exploited.

User warning

Olejnik advised that every system intending to use the specification be required to undergo a privacy impact assessment in order to ensure it complies with data protection laws such as the EU’s General Data Protection Regulation.

The European Commission recently suggested something similar could be put in place for Internet-connected devices.

Such devices have already, however, begun to be exploited on a large scale by criminal botnets, including one that played a part in an attack last month that temporarily disabled access to a number of major websites.

Olejnik also said users should be made aware that the web API is being introduced.

“How many users are aware that browsers are capable of using Bluetooth? How many users expect this?” he wrote.

Prime Minister Theresa May recently acknowledged the privacy risks of connected devices by banning smart watches – such as the Apple Watch – from Cabinet meetings.

Are you a security pro? Try our quiz!