
The WebUSB standard is certainly controversial. Many consider it a security risk, and, to date, only Chromium-based browsers support it. But there is a workaround that is, ironically, supposed to increase security. The adjacent Universal 2nd Factor (U2F) standard also adds (limited) USB support to browsers. Sure, this is meant solely to support U2F USB dongles for two-factor authentication purposes, but as [ArcaneNibble] demonstrates using U2F-compatible firmware on a Raspberry Pi RP2040, by hijacking the U2F payload, this API can be used to provide WebUSB-like functionality.
The provided demo involves flashing an RP2040 (e.g., Pico board) with the u2f-hax.u2f
firmware and loading the index.html
page from localhost or a similar secure context. After this, the buttons on the browser page can be used to toggle an LED on the Pico board on or off. You can also read an input back from the RP2040.
This feat is made possible by the opaque nature of the U2F key handle, which means that anything can be put in this blob. This makes it a snap to pass data from the U2F dongle to the host. For the inverse, things get a bit trickier. Here the ECDSA signature is manipulated inside the ASN.1 that is returned to the dongle. Since Firefox performs no signature validation (and Chrome only does a range check), this works. The MCU also auto-confirms user presence by having the key handle start with 0xfeedface
, so the device works without user interaction. However, you do seem to get an annoying popup that immediately goes away.
Of course, this only works if you create a special USB device for this purpose. That means your normal USB devices are still secure. While we know it could be a security risk, you can do some cool things with WebUSB. We’ve seen a few projects that use it.
That’s very cool. It is always exciting to see ways of having a web page interact with local hardware without the hardware being on the Internet.
oxfeedface -> 0xfeedface
This is more a political protest rather than “real” support, as described in Github page:
“In conclusion, I want to see discussions being had which move beyond the basics of “Why won’t Firefox implement WebUSB? Is it going to lose out even further to Chrome?” and more towards discussions about intentionally curating healthy platforms and ecosystems. This extends beyond the Web and includes computing in all forms (whether on desktops and laptops, tablets and phones, or much-less-visible automation such as “IoT” and “smart home” devices). Platforms need to be both healthy for developers, so that they enjoy building software for them, and healthy for users, so that they understand what is happening and can engage with computing in a way which empowers them.”
Well said.
Oh so it’s a pi pico which pretends to be a mass storage device which contains the web page which has all the code for webUSB which then talks to pico directly using another USB endpoint?
No, it uses the u2f standard to send and receive data that it needs. There is not a storage device in sight in this demo.
https://en.m.wikipedia.org/wiki/Universal_2nd_Factor <– u2f
Another way to do this is to implement RNDIS or CDC-NCM USB network card protocol, and then advertise to the PC that you have a IPv6 network. The web page can then connect to it over http.