Skip to main content

Jeffrey Yasskin

The Web Bluetooth Security Model

Web Bluetooth is a developing JavaScript API to allow websites to communicate with Bluetooth devices. Sites ask the browser to show a list of nearby Bluetooth devices matching certain criteria, and the user either picks which to grant access to or cancels the dialog.

Image of the Chromium Bluetooth chooser, saying " wants to pair with:" followed by a list of two nearby bluetooth devices, a "Polar H7" or an "HR Monitor GO9". At the bottom of the dialog are links to follow if the expected device doesn"t appear and a "Pair" button.
The user can choose which heart rate monitor to grant access to, if any.

As you might expect, there are security risks here. When deciding whether to ship the new API, we should look at several kinds of attackers and defenders:

The ultimate decision about whether to ship Web Bluetooth should also take the competitiveness of the web into account, but this article only analyzes the security tradeoffs.

Abusive software developers §

Abusive websites might try to do embarrassing things like configure a Bluetooth speaker to play porn sounds. Web Bluetooth defends against this in several ways:

Malicious software developers §

In a world with Web Bluetooth, malicious developers will be able to choose between attacking users via native or web apps. We want shipping Web Bluetooth to make their job harder across the combination of both targets.

Getting permission §

Assume the user visits the malicious developer’s website. To grant it permission to attack Bluetooth devices, the user must:

Android M+:

  1. Click on app install banner.
  2. Click ‘Install’ in Play Store. Wait.
  3. Click ‘Open’ in Play Store.
  4. Click ‘Accept’ on a location permission prompt.


  1. Click on app install banner.
  2. Click ‘Get’ in App Store.
  3. Click ‘Install’ in App Store. Wait.
  4. Click ‘Open’ in App Store.

Chrome OS (through a Chrome App):

  1. Site calls chrome.webstore.install() inside a user gesture.
  2. Click ‘Add’ on a dialog that mentions Bluetooth. Wait.
  3. Click the app icon.

Web Bluetooth

  1. Site calls navigator.bluetooth.requestDevice() inside a user gesture.
  2. Click the vulnerable device inside a dialog that mentions pairing.
  3. Click ‘Pair’.

Web Bluetooth provides more warning to users than Android or iOS before giving access to the first device. Web Bluetooth also requires the same permission sequence for each additional device, so the malicious developer can’t attack devices the user wasn’t aware of.

Getting permission illicitly §

A developer can also hijack a trusted site’s permission to use Bluetooth devices.

Web Bluetooth is probably more vulnerable to this type of attack.

Attacking the kernel through Bluetooth APIs §

The kernel or Bluetooth drivers may be vulnerable to attack from the local machine, or from a remote radio as discussed below. The main defense we have here is to keep the API surface small and to run fuzz tests over that API. Web Bluetooth is helped by the GATT API being relatively small.

Attacking through non-Bluetooth channels §

A user who wants to access a Bluetooth device will follow instructions for how to do so. This may allow other attacks:

If we ship Web Bluetooth, users can get used to simple uses working on the web, which will help restrict the more dangerous native apps to the cases they’re actually needed.

Avoiding blockage §

Before a site or app is discovered to be malicious:

After a site or app is discovered to be malicious:

Web Bluetooth should be just as good at preventing attacks ahead of time, but doesn’t have as strong a response after we discover an attack.

Attacking the device §

Web Bluetooth does not take the extra CORS-like step of asking devices to opt into the origins that are allowed to communicate with them, but is still less likely to give access to exploitable device code.

Some Bluetooth devices intentionally allow firmware updates over a GATT channel. For example, Nordic Semiconductor has defined a Device Firmware Update service with a default implementation in their SDK. Unfortunately this implementation doesn’t check the update’s signature, which could enable an attack along the lines of the iSeeYou attack on USB. As a result, Web Bluetooth will probably add this service to the blacklist, and restrict unsigned updates to native apps. Firmware update services that do check signatures would not need to be blacklisted.

Malicious hardware manufacturers §

Websites that don’t know about Web Bluetooth aren’t affected by its existence, because they have to make an explicit function call to opt into it.

Because users get to choose the device they connect to a website, websites have to design around being given an incorrect device. They may still make incorrect and exploitable assumptions about how the device will respond to their messages. That said, this only affects the single exploited website: browser sandboxing prevents the damage from leaking to other sites.

Malicious hardware may also be able to work alone to attack a user’s computer, as described in the next section.

Malicious hardware manufacturers who also write websites §

Remote devices can also attempt to exploit a user’s computer. The most well-known example of this is innocent-looking USB devices that behave as keyboards or mice when plugged in. I’m told that neither apps nor browsers can pair with Bluetooth devices in a way that makes the devices into trusted keyboards, but I haven’t seen a reliable published source saying this.

Devices may also be able to attack a user’s kernel, possibly through their Bluetooth drivers. We haven’t yet fuzz-tested this attack surface, but we plan to before shipping the API.

The Physical Web makes it easier for malicious hardware to get users onto their website, than it would be to get them to install a native app. Web Bluetooth needs to validate that remote hardware can’t attack users’ systems through this route.

Conclusion §

Acknowledgements §

Thanks to Adrienne Porter Felt, Chris Palmer, Xifumi, Giovanni Ortuño, Vincent Scheib, Alex Russell, and François Beaufort for reviewing this. Any remaining mistakes are still mine.

This was originally published on Medium.