[taviso]

Why is installing software a distinct action, but granting device access not?

Malware is a huge ongoing problem, which suggests this distinction doesn't really exist.

I think we have to accept that there is no way to perfectly eliminate social engineering without also locking down legitimate access to devices. There will be some percentage of users who will click through all the warnings and confirmation prompts, just like there is some percentage of users that will run malware. That's bad, but you're letting the perfect be the enemy of the good.

Your argument could also apply to ssh, a small number of users could be socially engineered into sharing their id_rsa. This happens, we often find them checked into github, for example. Does this mean we should go back to telnet? No, for the vast majority of cases ssh is a huge imperfect improvement.

Likewise, in the vast majority of cases, Web USB is a huge imperfect improvement over installing drivers.

[ocdtrekkie]

So the issue is we are talking about different dimensions of improvement. I concede that WebUSB is better sandboxed than executing a driver installer (likely running as admin or root) in terms of the blast radius. However, WebUSB is catastrophically worse than an installer in terms of the ability of the infection to occur in the first place. Both because of the aforementioned difficulty of user process of software installation, as well as the additional checks the OS and/or third party antivirus does, as opposed to Google's fairly limited abuse detection capabilities (just Safe Browsing in WebUSB's case, I imagine?).

This is a problem I have talked about many times before regarding Google's security outlook. On Project Zero there's a ton of interesting and surely exciting work into novel ways to compromise systems. ...That work has basically no bearing on improving security for the billions of users who will never be targeted in such a niche technical way.

Real world compromise tends to just be social engineering people into doing what Google explicitly permits websites to do. You could remove malicious activity from a billion users right now by simply... deleting the Notifications API from Chrome, which is principally used to spam ads. Because people mash that allow button all the time, every time.

I'd best guess I see ten times the malware in Chrome (either hijacker extensions delivered by the Chrome Web Store, push notifications from random adult websites, or both) than actual installed malicious software on a given Windows machine.

And this is fixable! Google could fix this with WebUSB and make a net positive all around! Likely by redesigning permission granting in the browser to require deeper user intent. But it would require a fundamental change in how Google understands and perceives security (and it'd likely reduce engagement stats for some features, which various teams would fight), and I've been beating this drum for several years and I don't really expect it to change.

(In fact, one specific change I could recommend: I think APIs like WebUSB, as well as the Notifications API and similar, should probably be completely blocked unless you install a PWA. It's not as much process as a Windows software install, but it's a clear gate to allowing a site more ability, and installing and removing apps is a far easier concept to explain to users than navigating the site privacy settings.)

[taviso]

I think I need to see some data to back up your claim that Web USB makes socially engineering "catastrophically worse". Web USB is deployed today for a billion users, and yet attackers still seem to prefer malware or walking victims through installing TeamViewer, correct?

We're not talking about any vulnerability here, this is social engineering. There is no amount of confirmation that can be required or warnings added that a confidence trickster cannot walk you through dismissing. The only solution is to limit what you're allowed to do with your own computer.

That's a really high price to pay.

[ocdtrekkie]

Ah, but before they got tricked into TeamViewer, they were likely compromised once or twice over by Google: It's likely the link to the scammer's screen came from a Google ad that directed a user to a browser hijacking web extension, all of which has roughly the same level of difficulty as WebUSB. Then after that, a scammer may talk them through the process of downloading a RAT. (Though TeamViewer has not been popular for this in a while because they are responsive to security reports. There are some overseas-based tools which have taken over exclusively in the last few years because the developer doesn't answer their email.)

WebUSB is new, non-standard, of course, and last time I tried it required feature flagging (it's saving grace... at the time). Compromises through extensions are probably more likely for a while, but WebUSB will probably be more exciting for persistence, considering you could flash an entire hardware device with malicious code, that the user has already demonstrated comfort connecting back to their PC.

[taviso]

Do you think you might have argued against the internet when it was being deployed?

It sure opened the door to a lot of scams, and was far from a perfect solution. Yet it does seem to have had a net positive effect. Maybe that can be true of other technologies sometimes :)

Let's leave it there, I don't think there's anything else to add.