Add WebUSB Support To Firefox With A Special USB Device

Firefox logo displayed on screen
RP2040-based Pico board acting as U2F dongle with Firefox. (Credit: ArcaneNibble, GitHub)
RP2040-based Pico board acting as U2F dongle with Firefox. (Credit: ArcaneNibble, GitHub)

The WebUSB standard is certainly controversial. Many consider it a security risk, and, to date,  only Chromium-based browsers support it. But there is a workaround that is, ironically, supposed to increase security. The adjacent Universal 2nd Factor (U2F) standard also adds (limited) USB support to browsers. Sure, this is meant solely to support U2F USB dongles for two-factor authentication purposes, but as [ArcaneNibble] demonstrates using U2F-compatible firmware on a Raspberry Pi RP2040, by hijacking the U2F payload, this API can be used to provide WebUSB-like functionality.

The provided demo involves flashing an RP2040 (e.g., Pico board) with the u2f-hax.u2f firmware and loading the index.html page from localhost or a similar secure context. After this, the buttons on the browser page can be used to toggle an LED on the Pico board on or off. You can also read an input back from the RP2040.

This feat is made possible by the opaque nature of the U2F key handle, which means that anything can be put in this blob. This makes it a snap to pass data from the U2F dongle to the host. For the inverse, things get a bit trickier. Here the ECDSA signature is manipulated inside the ASN.1 that is returned to the dongle. Since Firefox performs no signature validation (and Chrome only does a range check), this works. The MCU also auto-confirms user presence by having the key handle start with 0xfeedface, so the device works without user interaction. However, you do seem to get an annoying popup that immediately goes away.

Of course, this only works if you create a special USB device for this purpose. That means your normal USB devices are still secure. While we know it could be a security risk, you can do some cool things with WebUSB. We’ve seen a few projects that use it.

6 thoughts on “Add WebUSB Support To Firefox With A Special USB Device

  1. This is more a political protest rather than “real” support, as described in Github page:

    “In conclusion, I want to see discussions being had which move beyond the basics of “Why won’t Firefox implement WebUSB? Is it going to lose out even further to Chrome?” and more towards discussions about intentionally curating healthy platforms and ecosystems. This extends beyond the Web and includes computing in all forms (whether on desktops and laptops, tablets and phones, or much-less-visible automation such as “IoT” and “smart home” devices). Platforms need to be both healthy for developers, so that they enjoy building software for them, and healthy for users, so that they understand what is happening and can engage with computing in a way which empowers them.”

    Well said.

  2. Oh so it’s a pi pico which pretends to be a mass storage device which contains the web page which has all the code for webUSB which then talks to pico directly using another USB endpoint?

  3. Another way to do this is to implement RNDIS or CDC-NCM USB network card protocol, and then advertise to the PC that you have a IPv6 network. The web page can then connect to it over http.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.