Google is advancing its browser capabilities with a forthcoming feature that will empower isolated web applications to bypass current security restrictions on accessing sensitive USB devices via the WebUSB API.
The WebUSB API, designed in JavaScript, enables web applications to interface with USB devices connected to a computer. Presently, certain interface classes such as audio, HID (Human Interface Device), mass storage, smart card, video, audio/video devices, and wireless controllers are protected from direct web access to safeguard against potential security risks posed by malicious scripts.
In addition to these protections, the WebUSB specification includes a predefined block list comprising specific USB devices like YubiKeys, Google Titan keys, and Feitian security keys used primarily for multi-factor authentication.
Google is currently experimenting with an “Unrestricted WebUSB” feature aimed at enabling isolated web applications—typically packaged as Web Bundles, signed by developers, and distributed directly to end-users—to access these restricted USB devices and interface classes.
Explaining the functionality, Google clarified in a Chrome status update, “The WebUSB specification includes a blocklist of vulnerable devices and a table of protected interface classes blocked from access via WebUSB. With this feature, Isolated Web Apps with permission to access the ‘usb-unrestricted’ Permission Policy feature will be allowed to access blocklisted devices and protected interface classes.”
Under this framework, when an isolated web app attempts to access a USB device, the system verifies whether the device is listed in the blocklist of vulnerable devices. If listed, standard access would be restricted. However, apps authorized with the “usb-unrestricted” permission bypass this restriction.
Furthermore, the system checks if the accessed device is included in the app’s list of permitted devices. If not, access is denied. Additionally, access may be restricted if the accessed interface is marked as protected, unless the app has been granted the “usb-unrestricted” permission.
This enhancement promises to expand the functionality of trusted isolated web apps, typically used within organizations or distributed in controlled environments, thereby enabling broader capabilities in secure settings.
Google plans to introduce this feature for testing in Chrome 128, expected for release in August 2024.
Related topics:
Google’s Partnership to Advance Clean Energy in Asia Pacific
Google Announces Closure of Podcast Service and Stack PDF Scanner
ChatGPT-4 passes the “Turing Test” Scientists: AI intelligence is comparable to humans