Google is working to dramatically increase the power of web browsers. There’s one big problem: The plan could create new security problems that undermine the web.
The web has had a remarkable track record of thwarting attacks. You can generally click a link and trust that your browser will protect you. By contrast, app stores require constant monitoring to keep phone malware away while confirmation dialog boxes stand in the way of problem software on your PC.
One part of Google’s plan lets browsers communicate directly with hardware devices through USB ports, and over Bluetooth and NFC wireless links. This new class of web app technology, which includes abilities called Web USB, Web Bluetooth and Web NFC, could allow you to install an operating system on your phone, update your calculator’s firmware, fetch data from your science fair project’s sensor, and receive contact details from a friend’s phone over NFC.
The risks, however, are considerable. For example, Bluetooth, USB and NFC are used to connect hardware security keys to PCs and phones for strong two-factor authentication. So one danger is hackers using a website to steal your login credentials. Indeed, Web USB was a problem for hardware security key maker Yubico, which had to deal with a serious Web USB vulnerability in 2018.
Web USB on a PC’s browser could make it easier to program small Arduino computers that are popular among hobbyists. But if a malicious web app successfully takes control of the Arduino, a hacker could use USB’s privileged status to mount a new attack right back on the PC, something Mozilla Chief Technology Officer Eric Rescorla calls a “boomerang attack.” Web USB would be exposed to the internet devices, like voting machines and insulin pumps that were designed for a more protected environment, he added.
The new web technology could make your life easier, especially if you’re using a Chromebook powered by Google’s Chrome OS. But Google and allies, such as Intel, haven’t convinced skeptics the technology won’t also make life easier for the bad guys. And let’s face it, we already have plenty of security worries.