Web Bluetooth

Over the past few months we’ve heard a lot about contact tracers which are designed to inform users if they’ve potentially come into close proximity with someone who has the virus. Generally these systems have been based on smartphone applications, but there are also hardware solutions that can operate independently for those who are unable or unwilling to install the software. Which is precisely what [Tom Bensky] has implemented using an ESP32 and a USB battery bank.

The idea is simple: the software generates a unique ID which is broadcast out by the ESP32 over Bluetooth Low Energy. Appended to that ID is a code that indicates the person’s current physical condition. There’s no centralized database, each user is expected to update their device daily with any symptoms they may be experiencing. If your tracker is blinking, that means somebody has come in close enough proximity that you should look at the collected data and see how they were feeling at the time.

It’s not a perfect system, of course, as for one thing the number of people that are willing and able to flash this firmware onto a spare ESP32 and carry the thing around with them all day is going to be extremely small. This might have filled an interesting niche if we were still going to hacker and maker cons this summer, but all of those have gone virtual anyway. That said, it’s an interesting look at how a decentralized contact tracing system can be implemented cheaply and quickly.

Another detail worth taking a look at is how [Tom] handled the user experience in his firmware. In an effort to make the tracer as easy as possible to configure, he’s using the Web Bluetooth capability of Google Chrome. Just open up the local web page in your browser, and it will handle talking to the hardware for you. Even if you’re not in the market for a contract tracer, we think this is a great example for how to handle end-user configuration on the ESP32.

We’ve already looked at contact tracer APIs from Google and Apple, dedicated COVID-19 hardware tokens, and even other open source attempts at decentralized proximity tracking. It’s a lot to process, and everyone seems to have their own idea on how it should be done. In the end, the most practical solution is probably to just stay at home as much as possible.

Google’s most recent Chrome browser, version 53, includes trial support for Web Bluetooth, and it’s like the Wild West! JavaScript code, served to your browser, can now connect directly to your Bluetooth LE (BTLE) devices, with a whole bunch of caveats that we’ll make clear below.

On the one hand, this is awesome functionality. The browser is the most ubiquitous cross-platform operating system that the world has ever seen. You can serve a website to users running Windows, Linux, Android, iOS, or MacOS and run code on their machines without having to know if it’s a cellphone, a desktop, or a virtual machine in the Matrix. Combining this ubiquity with the ability to control Bluetooth devices is going to be fun. It’s a missing piece of the IoT puzzle.

On the other hand, it’s a security nightmare. It’s bad enough when malicious websites can extract information from files that reside on your computer, but when they connect directly to your lightbulbs, your FitBits, or your BTLE-enhanced pacemaker, it opens up new possibilities for mischief. The good news is that the developers of Web Bluetooth seem to be aware of the risks and are intent on minimizing them, but there are still real concerns. How does security come out in the balance? Read on.

Continue reading “Web Bluetooth: The New Hotness And Its Dangers” →