Dear Chrome DevTools team,
We would like to propose a feature to monitor webUSB traffic as part of the developer tools.
Motivation:
Chromium browsers lack tooling to analyse hardware APIs traffic (e.g.
Bluetooth, HID, serial, etc).
Currently, to analyse these APIs and inspect their traffic, testers and
developers need for instance to use Wireshark to sniff USB traffic
and/or a physical Bluetooth sniffer. Additionally, macOS requires
disabling OS security feature for USB debugging at a system level.
Overall these tools are limited.: they only show the traffic "on the
wire" (not per-origin as chromium implemented) and may e.g. require
additional configuration to decrypt transmitted data and importantly
cannot show the origin URI for each request.
Summary:
We would like to propose a feature that
helps inspecting webUSB secuity issues in the future. Our idea is to
add a debug tab (part of the F12 developer tools) to log webUSB traffic
into the developer console (e.g. showing messages which host is behind a
packet and to which device it was sent). Information to be displayed
could include: device name, device ID, claimed interface, connected
hosts that are authorised to use the device(s), and messages sent
from/to devices and hosts. Addtionaly, it might support Chrome's
developers and the webUSB project [1] in developing new and debugging
existing hardware APIs. The implmentation and the security policy of
such a feature can follow the same approach as the network tab from
developer option.
Risks:
From a security and privacy
perspective, it is possible to show the traffic only if the developer
console is open (like the network tab functionality). Also, there should
be no issues regarding secret messages or keyloggers, because webUSB
cannot access input devices (e.g. keyboard and mouse) [2].
For implementation, we could help and cooperate with the Google developers.
References:
[1]
https://github.com/WICG/webusb[2]
https://groups.google.com/a/chromium.org/g/blink-dev/c/LZXocaeCwDw/m/GLfAffGLAAAJ