Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove or randomize serial numbers from WebUSB-accessible devices #28146

Closed
pes10k opened this issue Jan 30, 2023 · 14 comments · Fixed by brave/brave-core#17470
Closed

Remove or randomize serial numbers from WebUSB-accessible devices #28146

pes10k opened this issue Jan 30, 2023 · 14 comments · Fixed by brave/brave-core#17470
Assignees
Labels
feature/shields/fingerprint The fingerprinting (aka: "device recognition") protection provided in Shields OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy/chromium-redqueen Work to remove or improve privacy-harming "features" added in Chromium. privacy/feature User-facing privacy- & security-focused feature work. privacy/tracking Preventing sites from tracking users across the web privacy QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include

Comments

@pes10k
Copy link
Contributor

pes10k commented Jan 30, 2023

Currently sites can use WebUSB to try and get access to users USB devices. This is permission gated, so its a rare occurrence on the web, but must happen somewhere.

If you give a site access to a USB device, the site can learn the serial number for that USB device, which in some cases will be a fixed global identifier for your machine. We should probably remove, randomize or farble these serial numbers.

@pes10k pes10k added OS/Android Fixes related to Android browser functionality OS/Desktop privacy privacy/feature User-facing privacy- & security-focused feature work. privacy/tracking Preventing sites from tracking users across the web privacy/chromium-redqueen Work to remove or improve privacy-harming "features" added in Chromium. labels Jan 30, 2023
@ShivanKaul ShivanKaul added feature/shields/fingerprint The fingerprinting (aka: "device recognition") protection provided in Shields priority/P3 The next thing for us to work on. It'll ride the trains. labels Feb 14, 2023
@brave-builds brave-builds added this to the 1.51.x - Nightly milestone Mar 15, 2023
@LaurenWags
Copy link
Member

@pes10k @pilgrim-brave could we please get a test plan for this one since it's labeled QA/Yes?

Marking as QA/Blocked until the above is sorted.

@pes10k
Copy link
Contributor Author

pes10k commented Apr 6, 2023

okie i'll add one now, hope to have it done by the all hands

@pes10k
Copy link
Contributor Author

pes10k commented Apr 6, 2023

@LaurenWags here ya go https://dev-pages.brave.software/fingerprinting/devices.html (the second test on the page)

@LaurenWags
Copy link
Member

Thanks for the quick assistance @pes10k!

@MadhaviSeelam
Copy link

MadhaviSeelam commented Apr 7, 2023

Verification PASSED using

Brave | 1.51.79 Chromium: 112.0.5615.49 (Official Build) beta (64-bit)
-- | --
Revision | bd2a7bcb881c11e8cfe3078709382934e3916914-refs/branch-heads/5615@{#936}
OS | Windows 11 Version 22H2 (Build 22621.1413)

Case 1: Shields Enabled (Default) - PASSED

  1. Install 1.51.79
  2. launch Brave
  3. attached/inserted couple of USB devices to the laptop (keyboard, docking station)
  4. visited https://dev-pages.brave.software/fingerprinting/devices.html in a new tab
  5. keep the Shileds Up in the Shields panel
  6. clicked on Query new device button in the WebUSB Serial number
  7. selected Unknown device from Via Labs., Inc. and clicked connect
  8. selected Unknown device from Chicony Electronics Co. Ltd. and clicked connect
  9. selected ERGOKEY USB keyboard and clicked connect
  10. clicked Query previously connected devices for the list of devices that are paired

Confirmed serial numbers are randomized for selected USB devices

Confirmed different serial numbers are shown on both test domains (Site 1 & Site 2)

Site 1: https://dev-pages.brave.software/fingerprinting/devices.html

ex ex ex ex ex
image image image image image

Site 2: https://dev-pages.bravesoftware.com/fingerprinting/devices.html

ex ex ex ex
image image image image

Case 2: Shields Down (Disabled) - PASSED

  1. toggle Off in the Shields
  2. click Other site for Disabled
  3. follow steps from 5-9 steps Case 1

Confirmed serial numbers same on both test domains

Site 1: https://dev-pages.brave.software/fingerprinting/devices.html

ex ex ex
image image image

Site 2: https://dev-pages.bravesoftware.com/fingerprinting/devices.html

ex ex
image image

@MadhaviSeelam MadhaviSeelam added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Apr 7, 2023
@pes10k
Copy link
Contributor Author

pes10k commented Apr 8, 2023

This is an issue in the test, not the implementation. I'll fix the test but what your seeing reflects the feature working as expected. Please do not let this block the QA process

@pes10k
Copy link
Contributor Author

pes10k commented Apr 8, 2023

(btw, the test should be fixed now)

@MadhaviSeelam
Copy link

@pes10k: thanks for the fix on test site (figured that could be). However, I have a question on Disabled scenario. Where would I disable them? I see Blocked setting but NOT Disable brave://settings/content/siteDetails?site=https%3A%2F%2Fdev-pages.brave.software. Is there a different place where I should be disabling?

ex ex ex
image image image

@pes10k
Copy link
Contributor Author

pes10k commented Apr 10, 2023

@MadhaviSeelam if you want to remove access for these devices to this site, I think the only open you have in the "reset permission" button (or to clear all site storage for the site).

But for the test, by disabled, i mean shields disabled, not the USB devices disabled

@MadhaviSeelam
Copy link

@pes10k thank you! Didn't test with Shields Down but looked at Allow Finger printing while Shields Up. Wasn't sure that was the scenario to be tested. Now I see Allow Finger printing and Shields Disabled have same values.
Please review my verification notes if you don't mind.

@pes10k
Copy link
Contributor Author

pes10k commented Apr 10, 2023

That all looks good and correct and expected. Thanks!

@MadhaviSeelam MadhaviSeelam added QA Pass-Win64 and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Apr 10, 2023
@stephendonner stephendonner added QA/In-Progress Indicates that QA is currently in progress for that particular issue and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Apr 10, 2023
@stephendonner
Copy link

Sorry - tried to find a USB device which has/emits a serial #, but out of the only 6 I've tried and found at home so far, none have 🤷‍♂️ - @LaurenWags mind trying?

@LaurenWags
Copy link
Member

LaurenWags commented Apr 13, 2023

Verified with

Brave | 1.51.87 Chromium: 112.0.5615.49 (Official Build) beta (x86_64)
-- | --
Revision | bd2a7bcb881c11e8cfe3078709382934e3916914-refs/branch-heads/5615@{#936}
OS | macOS Version 13.3.1 (Build 22E261)

Reproduced the issue using 1.50.114 on Release channel.
Saw same serial number for webcam on both test sites listed below with default shield settings.

1 50 x

Case 1: Shields Enabled (Default) - InProgress

  1. Install 1.51.x
  2. launch Brave
  3. attached/inserted couple of USB devices to the laptop (keyboard, docking station)
  4. visited https://dev-pages.brave.software/fingerprinting/devices.html in a new tab
  5. keep the Shields Up in the Shields panel
  6. clicked on "Query new device" button in the WebUSB Serial number
  7. selected my webcam and clicked connect

Confirmed serial numbers are randomized for selected USB devices

Confirmed different serial numbers are shown on both test domains (Site 1 & Site 2)

Site 1: https://dev-pages.brave.software/fingerprinting/devices.html
Site 2: https://dev-pages.bravesoftware.com/fingerprinting/devices.html

Site 1 Site 2
site 1a site 1b

Case 2: Shields Down (Disabled) - PASSED

  1. toggled Shields Off for both Site 1
  2. clicked on "Query new device" button in the WebUSB Serial number
  3. selected my webcam and clicked connect
  4. repeated above steps for Site 2

Confirmed serial numbers same on both test domains

Site 1 Site 2
1 2

Verification passed on

Brave 1.51.107 Chromium: 113.0.5672.63 (Official Build) (64-bit)
Revision 0e1a4471d5ae5bf128b1bd8f4d627c8cbd55f70c-refs/branch-heads/5672@{#912}
OS Ubuntu 18.04 LTS

Case 1: Shields Enabled (Default) - PASSED

  1. Install 1.51.x
  2. launch Brave
  3. attached/inserted couple of USB devices to the laptop (keyboard, docking station)
  4. visited https://dev-pages.brave.software/fingerprinting/devices.html in a new tab
  5. keep the Shields Up in the Shields panel
  6. clicked on "Query new device" button in the WebUSB Serial number
  7. selected my webcam and clicked connect

Confirmed serial numbers are randomized for selected USB devices

Confirmed different serial numbers are shown on both test domains (Site 1 & Site 2)

Site 1: https://dev-pages.brave.software/fingerprinting/devices.html
Site 2: https://dev-pages.bravesoftware.com/fingerprinting/devices.html

Screenshot from 2023-05-03 09-41-21 Screenshot from 2023-05-03 09-43-08
Screenshot from 2023-05-03 09-44-48 Screenshot from 2023-05-03 09-45-07

Case 2: Shields Down (Disabled) - PASSED

  1. toggled Shields Off for both Site 1
  2. clicked on "Query new device" button in the WebUSB Serial number
  3. selected my webcam and clicked connect
  4. repeated above steps for Site 2

Confirmed serial numbers same on both test domains

Screenshot from 2023-05-03 09-46-11 Screenshot from 2023-05-03 09-46-35
Screenshot from 2023-05-03 09-47-35 Screenshot from 2023-05-03 09-47-51

@hffvld hffvld added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label May 1, 2023
@hffvld
Copy link
Contributor

hffvld commented May 1, 2023

Verified on Google Pixel 6 and Galaxy Tab S8 using version(s):

Device/OS: 
- Google Pixel 6 [oriole-user 13 TQ2A.230405.003.E1 release-keys]
- SM-X700 Galaxy Tab S8 [gts8wifixx-user 13 TP1A.220624.014 release-keys]
Brave build: 1.51.109 Chromium: 113.0.5672.63 (Official Build) (64-bit)

Shields ON - PASS

STEPS:

  1. Launch Brave
  2. Connect USB device (I have USB-C earphones) to the phone
  3. Open https://dev-pages.brave.software/fingerprinting/devices.html in a new tab
  4. Keep the Shields ON in the Shields panel
  5. In the "WebUSB Serial Number" section tap on the "Query new device" button
  6. Select attached device > Connect
  7. In the pop-up message "Allow Brave to access ?" tap OK
  8. Repeat steps 3 - 7, but this time open https://dev-pages.bravesoftware.com/fingerprinting/devices.html

ACTUAL RESULTS:

  • Verified that the Serial number for the attached device is randomized for both URLs when Shields turned ON
Phone 1 Phone 2 Tab 1 Tab 2
1 2 3 4
Shields OFF - PASS

STEPS:

  1. Launch Brave
  2. Connect USB device (I have USB-C earphones) to the phone
  3. Open https://dev-pages.brave.software/fingerprinting/devices.html in a new tab
  4. Turn OFF the Shields in the Shields panel
  5. In the "WebUSB Serial Number" section tap on the "Query new device" button
  6. Select attached device > Connect
  7. In the pop-up message "Allow Brave to access ?" tap OK
  8. Repeat steps 3 - 7, but this time open https://dev-pages.bravesoftware.com/fingerprinting/devices.html

ACTUAL RESULTS:

  • Verified that the Serial number for the attached device is the same for both URLs when Shields turned OFF
Phone 1 Phone 2 Tab 1 Tab 2
1 2 3 4

@hffvld hffvld added QA Pass - Android ARM QA Pass - Android Tab and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels May 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature/shields/fingerprint The fingerprinting (aka: "device recognition") protection provided in Shields OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy/chromium-redqueen Work to remove or improve privacy-harming "features" added in Chromium. privacy/feature User-facing privacy- & security-focused feature work. privacy/tracking Preventing sites from tracking users across the web privacy QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants