The international standards body for the internet is now finalising specification to enable all smart devices to connect directly with websites via Bluetooth, but given the recent concerns about securing the Internet of Things, is this a good idea?
The Web Bluetooth API specification being developed by the World Wide Web Consortium (W3C) is meant to be the one of the core components of the Web of Things, which is essentially the application layer of the Internet of Things.
The Internet of Things connects smart devices to the internet so that they can monitor data about weather conditions on an oil rig, the peak times for cars parking in the city or the temperature in your home, and send that data to the cloud.
In contrast, the Web of Things will enable a web browser to contact any of your connected devices directly – everything from your smart toasters, kettles, fridges and security cameras to your smart heart rate monitors, smart TVs and your mobile phones.
What could go wrong with that? Well, a lot, if you've been paying attention to the news about the Mirai botnet, which has been hacking millions of unsecured IoT devices and using them to issue Distributed Denial of Service (DDoS) attacks on the internet that recently brought down multiple popular websites on 21 October.
Independent London-based cybersecurity and privacy researcher Lukasz Olejnik is an invited expert with W3C who was asked to inspect the Web Bluetooth API specification. He is concerned that the Web Bluetooth API will be dealing with both personally identifiable information and providing information about a user's position, motions and movements.
Websites will be able to access all data from smart devices
"Access to Web Bluetooth API will be subject to permissions and it will only work in secure contexts. To simplify, this means that aside from working only on HTTPS sites [it won't be that] like every web site on the internet will be able to interact with user's devices without user consent or awareness," Olejnik writes in a blog post.
"However, just introducing permissions is not addressing all of the security and privacy issues when an API is sensitive. How many users are aware that browsers are capable of using Bluetooth? How many users expect this?"
Olejnik warns that if you grant a website access to your smart kettle, aptly named "John Smith's Kettle", for example, and then later grant another website access to the same device, information could be leaked if the device has the same unique name.
"Pairing a user's computer with a user's device happens locally. We can say that identifiers or unique names stay close to the user. However, pairing user's device with a remote web site is something qualitatively different," he explains.
"Now you could blame the users for using similar naming conventions, but if it's their habit, technology should not expect users to change. Recall how Mirai Internet of Things botnet was formed. Users did not change the default passwords, because, well, they did not. They acquired a product, turned it on, that's it. Discussing whether it was their fault misses a point, because the design was bad."
Even your movements and financial situation could be leaked
Olejnik goes on to say that websites could potentially request that the device hand over all sorts of information, such as a user's heart rate monitoring level. By collecting sensitive data, websites could easily detect the user's gender, age and other details and use this to create a detailed profile about the user. Plus, if the website can detect what brand of beacons the user has purchased, then it can then figure out the user's financial situation.
And it gets worse. The researcher found a property within the Web Bluetooth API's code that enables websites to monitor a user's movements and location changes in real time just by requesting information on the smart device's signal strength.
So if you put a man in a living room surrounded by a smart TV, a smart thermometer on the wall, a smartphone on the coffee table and a router in the corner, and you read the strength of the signals from each device, and look at the relationship between the distance and signal strength, then you can basically figure out exactly where the person is – kind of like the sonar surveillance technology used in the Dark Knight films about Batman.
"Web Bluetooth API will decrease the entry barrier for people with malicious intentions, who aren't very technically versed. Soon, everyone with a web browser will be able to potentially become an attacker targeting Internet of Things and Web of Things devices," warns Olejnik.
"If a user's browser is hijacked in some way, they might even become channels for attacks directed by someone else. It's necessary to think whether Web Permissions for Web Bluetooth are enough. Every system wanting to use W3C Bluetooth API should undergo a rigorous web risk privacy assessment – privacy impact assessment."