14 DAY TRIAL // The World Wide Web Consortium's (W3C) new Web Bluetooth API is riddled with potential security holes which, if left unaddressed during the specification's drafting, will open the door for user fingerprinting and potentially IoT equipment hacking.
This is the opinion of Lukasz Olejnik, a security and privacy consultant, researcher at University College London, and a W3C Invited Expert, who was recently asked to review the API's current draft.
The W3C, through the push of IoT vendors, has been working on the W3C Web Bluetooth API as a way to let websites access local Bluetooth-enabled devices in a user's home, using a PC or smartphone's browser as a relay point.
The API allows a website to ask for permission to access a local device using a popup, and then relay commands and read device output directly from the device.
Potential privacy problems related to Web Bluetooth API
W3C members considered they addressed all privacy implications by implementing the above-mentioned permissions system. Olejnik begs to differ, and the expert brings up a few issues.
1) Information leaks due to device names. Websites or attackers that can access a Bluetooth-enabled device could determine the owner's real name. Many people use their real names for naming devices, or in some cases, nicknames.
2) Behavioral monitoring. Websites or attackers could query for specific functions, such as the ability to track heart rate, and other sensitive details.
3) Distance monitoring. Websites or attackers can abuse the API's rssi or txPower property to track the user's distance from certain Bluetooth-enabled devices. This would allow a remote attacker to know when a user is at home, at work, or when sleeping.
4) Profiling potential. Websites, attackers, or advertisers could detect a user's living standards and possible wealth based on the devices he shares.
Web Bluetooth API could simplify attacks on IoT devices
"I expect that a framework making it easy to test, tamper or penetration testing of Bluetooth/IoT/WoT devices will become reality, sooner or later," Olejnik writes, referring to a Metasploit-type toolkit.
"One side consequence is also that Web Bluetooth API will decrease the entry barrier for people with malicious intentions, who so happens aren't very technically versed," the expert also adds. "Soon, everyone with a web browser will be able to potentially become an attacker targeting Internet of Things and Web of Things devices."
Previously, Olejnik has criticized the W3C's upcoming Battery Status API, saying it could lead to user fingerprinting and tracking across different websites using HTML5 Battery Status API readouts.
He also criticized the W3C's Proximity Sensor API, which he said could be reliably used to fingerprint users across different websites, based on how close they hold the device next to their face.