Hacking An Arduino NFC Reader With WebUSB

When [gdarchen] wanted to read some NFC tags, he went through several iterations. First, he tried an Electron application, and then a client-server architecture. But his final iteration was to make a standalone reader with an Arduino and use WebUSB to connect to the application on the PC.

This sounds easy, but there were quite a few tricks required to make it work. He had to hack the board to get the NFC reader’s interrupt connected correctly because he was using a Leonardo board. But the biggest problem was enabling WebUSB support. There’s a library, but you have to change over your Arduino to use USB 2.1. It turns out that’s not hard, but there’s a caveat: Once you make this change you will need the WebUSB library in all your programs or Windows will refuse to recognize the Arduino and you won’t be able to easily reprogram it.

Once you fix those things, the rest is pretty easy. The PC side uses node.js. If you back up a level in the GitHub repository, you can see the earlier non-Arduino versions of the code, as well.

If you want to understand all the logic that went into the design, the author also included a slide show that discusses the three versions and their pros and cons. He did mention that he wanted a short-range solution so barcodes and QR codes were out. He also decided against RFID but didn’t really say why.

NFC business cards are a thing. You can also use them to catch some public transportation.

12 thoughts on “Hacking An Arduino NFC Reader With WebUSB

  1. Well, I didn’t know, I must admit.

    I looked up what WebUSB is, and heck, no. Why let the browser, arguably the most insecure and compromised app in my whole box (after all, it’s picking up all the garbage out there on the digital streets and taking it into its mouth), why let the browser mess with *my* hardware, the one I paid hard cash for?

    Thanks, folks, but no, thanks.

    From the Wikipedia: “WebUSB is a proposed JavaScript application programming interface (API) standard for securely providing access to USB devices from web pages.”

    “Securely”. And “browser”. In one sentence. Hah.

    1. Imagine, we started skewing the clocks in our browsers to prevent Spectre and Meltdown getting abused, but a direct JavaScript interface to our hardware is a good idea. Wild.

    2. So instead of running that random app in a somewhat secure javascript sandbox, you’d rather install it as a normal program and give it full access to your system? It’s not like WebUSB gives any webpage access to USB, you need to separately accept it for each page.

      1. If we’re talking security, ad-hoc software handling all the NFC things and exposing a (secure) web API would be my choice. That way, any other webapp could interact with those tags in a secure fashion.

        “It’s not like WebUSB gives any webpage access to USB, you need to separately accept it for each page.”

        ..which you could probably bypass if you’ve already compromised the browser.

      2. > you need to separately accept it for each page.
        Just like you need to accept notification. So that every random page in the world starts giving more popups for random shit.

        And by requiring a USB device that explicitly supports WebUSB, instead of lifting on an existing USB implementation. Which is just asking for it to be ignored.

    3. “Why let the browser, arguably the most insecure and compromised app in my whole box (after all, it’s picking up all the garbage out there on the digital streets and taking it into its mouth), ”

      Good analogy!
      B^)

    4. And what do you think we are in the 90s where browsers only serve to render text and a couple of images? If I buy paid hardware, I have the right to use it, to avoid it there is a permission system in case you don’t know it, webusb does not allow access to sensitive hardware in any case. And if such paranoia is better you can use tor browser, that browser is designed for crazy and paranoid people like you. Cheers.

  2. As a friendly hint, check out the TinyUSB Arduino library. It currently works with SAMD and NRF52 (and more technically without Arduino). It got much better support for WebUSB than the never finished proof of concept Arduino lib that breaks when you look at it wrong. No AVR support but I would say thats legacy anyway by now, might come in the future who knows.

  3. Hey guys! Great project, this may not be the place to search for advice but I’m desperate! I’m running windows 10, the newest version of arduino, 1.8.11. I went in to the USBcore.h file and switched things to usb 2.1, even added in the leonardo(webUSB Version) board file, loaded up the library file with some example code and nothing! I’m using a brand new Leonardo which should be supported, and I’m using a p5.js example script that’s straight from google. I’m super excited about experimenting with the new Machine Learning TensorFlow model creation using teachable machine, But I am stuck! I can’t get my arduino to connect to chrome no matter what. Any suggestions? Here’s the project!

    https://experiments.withgoogle.com/tiny-sorter/view

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.