
Experimenting with Bluetooth in JavaScript in web, hybrid and React Native apps - jbmoelker
https://www.voorhoede.nl/en/blog/bluetooth-anywhere/
======
dazhbog
Similarly to WebBT, WebUSB has been god send for us.. We were able to allow
customers to flash their units through their browser while logged in, and
driver free in Mac, Linux and Android! If we could only get CDC serial port
support as well, so many products would talk biderectionally with so many
websites.

From arduinos to music key pads, IoT devices, pocket oscilloscopes, sensors,
etc.

~~~
SlowRobotAhead
Years ago I went down the route of trying to get USB over browser and it was
not happening. Best I came up with was that if we did some real tricky stuff
with making the device a “printer” and using some usb/printer emulation stuff.
Abandoned it.

I assume like webBLE, that webUSB is Chrome only?

~~~
dazhbog
That's cool! Printing a hex file! :)

We tried a similar method of playing audio from the browser when its actually
serial data. I think there are a few arduino platforms doing this now and it
works on PCs and phones.

Yes, unfortunately it is Chrome only. The good news is that our device didnt
really have to change at all to support Chrome. Most hardware devices'
bootloaders support DFU (Device Firmware Update) so all we had to do was
support DFU on our website.

------
oarsinsync
This is terrifying.

Unless it's designed with safeguards in place from the start to protect
against advertising/tracking abuses, I would rather this wasn't in my browser
at all.

Last thing I want is for a random website to hijack my bluetooth speaker and
start blaring out an advert at me.

~~~
edwinjm
Why do you think there are no safeguards? Why do you think this is terrifying?

~~~
asark
I dunno about the poster you were responding to, but any time the massive
worldwide spying platform I can't not use gains more capabilities I'm not
really thrilled about it. Even if the security against exploits is somehow
perfect, it'll leak data. It'll be used to spy on us. The whole platform
became hopelessly pwned when we started letting any ol' page send data without
explicit user action and say-so. The by-design low effort and rapid linking
between documents never should have been coupled with the capabilities of
Javascript.

~~~
edwinjm
If you think that any leaking will be used to spy on you, you'll better
deactivate bluetooth completely (seriously).

I you know of any real (not theoretical) threads, let us know. Until then I
(we) enjoy the convience of modern technology.

~~~
pault
I wouldn't be concerned about random apps hijacking my peripherals since I
assume they will always need some kind of prompt to make a connection.
However, if the browser bluetooth API allows you to scan devices I would be
more concerned about fingerprinting.

~~~
SlowRobotAhead
This is how Bluetooth Beacons work.

The beacon sends out a signal which is a the same as the connection
advertising format, but with the CONNECTABLE bit turned off. This gives 20-30
bytes or so of data you can stuff out there along with the UUID.

The app typically listens for UUIDs of beacons it cares about, and when it
sees it, collects the one-way device to app beacon data. Then does something
with that -

It's just that the "something" is usually reporting to a website that the
beacon has been seen. This is entirely how TILE find-it tags work.

So the threat model here is that if you can get someone to go to your website,
you could potentially see what BLE beacons are near that device and report
them.

I am not sure if SCANNING requires user consent - or just connection event
does.

------
sbr464
BLE (Bluetooth Low Energy) is really interesting. Here's a quick example[1], <
10 lines of javascript, to get your live heart rate per second from a Polar
H10 chest strap (tested with Chrome).

[1]
[https://gist.github.com/sbrichardson/6e8ad851311235eee5a63c7...](https://gist.github.com/sbrichardson/6e8ad851311235eee5a63c75003000d3)

------
jmull
They say "web" in the title, but that seems to mean browsers that support "web
bluetooth" API.

Is that one of those Chrome-only API's? If so, it's not really "web" at all.

~~~
ericwood
It's got W3C backing, but it's one of those things (like web MIDI) that only
Chrome has bothered to implement. The APIs aren't intended to be proprietary
to just Chrome.

[https://www.w3.org/community/web-
bluetooth/](https://www.w3.org/community/web-bluetooth/)

~~~
jmull
A community group doesn't mean W3C is backing it.

It's kind of weird that we seem to be going down the path of Google/Chrome =
Web. We already know how this story ends.

------
thefounder
Web bluetooth is nice, though is not ready for production yet. For example you
can't build a tv remote control or bluetooth keyboard/hid

~~~
SlowRobotAhead
>For example you can't build a tv remote control or bluetooth keyboard/hid

Why not?

WebBLE supports GATT read and write. BLE does have an HID mode, but the
primary way you are “supposed” to access BLE is via GATT transfers.

You could absolutely do a remote control right now. You would be at the mercy
of packet interval timing (7.5ms-50ms depending on agreed interval) so gaming
keyboard wouldn’t be great typical use could absolutely be done... but guess
what, HID mode still has a minimum packet internval timing at 7.5ms. I’ve been
using BLE for years but still haven’t found a great use for HID mode.

~~~
thefounder
>> You could absolutely do a remote control right now.

No, you can't. I actually tried doing just that. Try yourself and see how
spectacular it fails. WebBle is just experimental as far as I'm concerned

~~~
SlowRobotAhead
Ok... except that I have a remote operated device on BLE right now. I’ll let
the people in my group know it’s impossible though.

------
j1vms
Now for someone to properly 'dockerize' the browser so that you can flip a
switch on and off for those holes you actually need, or rather, the ones you
aren't willing to live without.

~~~
JBReefer
[https://hub.docker.com/r/selenoid/firefox](https://hub.docker.com/r/selenoid/firefox)

Like that?

