
Malicious Use of the HTML5 Vibrate API - edent
http://shkspr.mobi/blog/2014/01/malicious-use-of-the-html5-vibrate-api/
======
gcp
_It is not impossible to conceive of malicious code being able to exploit an
unpatched browser flaw and overdrive the motor to destruction._

Uhm, if your argument against a HTML5 API is "it's possible that the browser
is hackable" then I don't see the discussion going very far. Like, you can use
the same argument against HTTP support.

 _Combine it with a WebRTC call and you 're looking at a very convincing
scam._

WebRTC does require explicit user permissions.

I honestly don't see how the buzzing is in anyway crucial in in the explained
examples. You can mimic real UI and trick users. This has been around on
desktop for ages with fake Windows dialogs. Take away the buzz in the example
on the webpage and the majority of people will still "pick up the phone".

~~~
edent
(OP here)

It's certainly not "crucial" \- but it's a lot easier to trick someone by
exploiting their brain's heuristics.

Phone vibrating _means_ alert. I think that could be enough to trick people
into overlooking elements like the title bar being visible, etc.

For example, I've noticed that some dodgy web adverts play the default Windows
Error.wav when displaying a fake "Your codecs need updating" error dialogue.
Not crucial, but adds credence.

I agree that the browser hacking is unlikely and probably shouldn't be
mentioned.

~~~
callum85
> I agree that the browser hacking is unlikely and probably shouldn't be
> mentioned.

It's not that it's unlikely, it's just irrelevant. "We might accidentally
introduce a security flaw" could be used as an argument against building
absolutely anything.

------
Udo
It doesn't even have to be a website. Phone scammers have been doing stuff
like this for ages with pretty low tech. A general rule of dealing with spam
like this is "if the source is unknown and it's from a pretty woman or an
investment firm, it's a scam". My phone's black list is quite long.

Of course, HTML-based ones can reach a larger number of users with little
investment, so it's reasonable to expect this will occur more frequently in
the future.

~~~
andyroid
How do you know if the woman on the other end is pretty? :)

There's a great app for Android (in Sweden, I suppose there are similar apps
for other countries) that searches digital phone registries on an incoming
call and after about a second displays whatever data it has found on the
incoming call screen (such as Telemarketing Company, Salesperson, etc) It also
uses some form of rating system so if enough users have flagged a number, it
will warn me about it. This has saved me countless of calls.

~~~
Shaanie
Which app, if you don't mind me asking?

~~~
andyroid
It's called "Vem ringde" ("Who called" in swedish). I believe the iOS does not
grant enough permissions during an incoming call so when using the app on an
iPhone one can only do the lookup after the call has finished (answered or
missed) which explains the name (past tense). This is of course inferior to
the Android functionality, but this might have changed since last time I
checked.

~~~
cangelis
iOS version:
[https://itunes.apple.com/us/app/cia/id580455042?mt=8](https://itunes.apple.com/us/app/cia/id580455042?mt=8)

~~~
andyroid
Thanks cangelis! It's not really clear (or I'm a lousy reader) wether it
displays the information while the call is incoming or only when you've picked
up (or missed) the call. If it's the former, I'm glad to hear that it's
possible for iOS too!

------
AshleysBrain
Are any of those examples really only convincing if they can vibrate the
phone? Surely a scam that just involved that fake call screen while playing a
fake ringtone would be more or less just as effective? I can't imagine it's a
lot of people who wouldn't be fooled because they think "oh, it's fake, it's
not vibrating" who would suddenly be fooled by this.

~~~
Qworg
I think the vibrate would catch people who aren't really looking at their
phone and the x% of people who don't know how to really use their phone.

~~~
michaelmior
I think the percentage of people browsing the Web while not looking at their
phone is pretty low. I'm also not sure how the vibration would convince people
who don't know how to use their phone. I would suspect this group would
require less effort to manipulate.

~~~
tlarkworthy
not many people click legitimate ads. _but a low enough percentage do, to make
marginal gains in their effectiveness highly sought after_

I suspect malware works the same. It costs little to deploy, so even if 1 in
10,000 people are fooled, it can be lucrative.

~~~
michaelmior
My point was that I don't think the vibration would make much of a difference.
But you're right that a small gain in the effectiveness could be worthwhile.

------
egeozcan
I'm surprised to learn that a web site doesn't need to ask for your permission
to access the Vibrate API. I think there must be a warning screen with the
list of permissions the web site wants, like the ones we're getting when
installing apps from app stores but with a twist so you can disable individual
permissions for a web site.

~~~
gcp
In Firefox right-click a page -> Page Info -> Permissions.

Some APIs are allowed by default and some aren't. For the discussion about
Vibration, see:
[https://wiki.mozilla.org/WebAPI/Security/Vibration](https://wiki.mozilla.org/WebAPI/Security/Vibration)

~~~
illyism
You can't do this on a phone however as far as I know. The vibrate API is
build for mobile devices.

~~~
michaelmior
I don't understand this statement. A phone is a mobile device.

~~~
edent
And, on mobile Firefox, there's no way to see the permissions of a page.
Certainly no that I can see of FF for Android.

~~~
lucasr
Firefox for Android developer here, you can long-tap on the location bar while
on the page and select 'Edit Site Settings'. Is that what you're looking for?

~~~
kbrosnan
That is only used if the API requires user confirmation. So things like
geolocation, camera, and microphone access will be shown. Adding the feature
from desktop should be a bug already. If not then we should file one.

------
pilif
I can't wait to see this being exploited by advertisements.

I'm already seeing this really bad trend of ads redirecting to the app store
which makes the page that did it completely unreadable (going back to safari
shows an empty page) and now there's the prospect of the phone vibrating to
the blinking of the various ads wanting my attention?

If this goes on like this, I'll really need an adblocker on my phone.

~~~
Karunamon
Firefox on Android has plugin support, and Adblock Plus is one of those
supported. I'd definitely recommend it, makes mobile browsing suck so much
less.

------
theg2
Windows Phone, once again safe from the dangers of the Internet standards and
features!

~~~
judah
Hahah. I just tested this on my Windows Phone, Nokia 925, and yeah, not only
does it not vibrate, but it doesn't play the audio.

The audio was a surprise, since it runs my HTML5 radio software just fine. I'm
guessing the demo used OGG or some other audio format not supported by mobile
IE.

~~~
gcp
_I 'm guessing the demo used OGG or some other audio format not supported by
mobile IE._

The demo uses MP3.

------
basicallydan
It's clear that this could easily become the new "YOU HAVE ONE NEW MESSAGE"
popup alert that fools, I suppose, many naive users. Not entirely sure what we
can do about this except properly educating people or hoping that people will
be savvy enough.

------
jheriko
this is already very possible if you create a phone app - its even more
dangerous perhaps due to the lack of expectation of spam or traps from an app
(although this is a perception which is changing I'm sure), but its already
there as a risk.

------
Zikes
> It is not impossible to conceive of malicious code being able to exploit an
> unpatched browser flaw and overdrive the motor to destruction.

Are there not restrictions at the OS or hardware level to prevent this?

~~~
yuubi
In the Dark Ages phone I saw, the processor got to turn on a transistor that
passed current to the vibrator. Normal operation was either off or full on;
there wasn't a way to write a bit greater than 1 to the port pin that
controlled the vibrator.

------
jlebar
(I designed and implemented the vibration API in Firefox.)

FWIW I liked this article. But one thing to note is that -- at least in
Firefox/Firefox OS -- a page/app can only vibrate the phone if it's "visible".
In the browser, a page is visible if it's in the topmost tab, if the browser
app is the currently-focused app, and if the screen is not locked/off.

At least, that's how it's supposed to work. :)

------
shubb
When he says it would be possible to completely imitate a real call using web
rtc and vibrate, what I hear is that this API combined with webRTC could
replace phone calls.

Sure you could install a skype ap, but this opens the way to companies running
a private, webapp based voip system. In much the same way as they might use
Jabber now. All we need now is a decent opensource desktop voip ap to pair it
with.

------
anuraj
Since HTML pages cannot open up by themselves, and user can navigate away, the
risk is lower compared to a native app which can do far more damage. Never the
less, permission mechanism should have been enabled.

~~~
TeMPOraL
What about ads? The ones that now e.g. pretend to be Skype pop-ups.

~~~
anuraj
HTML Popups have always been a problem and with re targeting the Ads are a
menace. And some clever spoofing is definitely possible. A proper ad/popup
blocker for native browsers would help.

~~~
TeMPOraL
I sometimes wonder why AdBlock doesn't silently simulate click on all ads in
the background. This way you not only protect users from ad bloat, you also
make an incentive for people to stop doing website ads.

------
thrillgore
It ALWAYS needs to be an "Ask First" approach in the browser. I'm starting to
have flashbacks of the days when people had music players that autoplay on
websites, and how I hated that.

~~~
gcp
This gets obnoxious very quickly. Current Firefox excludes Flash from click-
to-play because user were outraged against it. And note that Flash can do all
of these things.

~~~
thrillgore
Compared to having your phone vibrate ad nauseum for no determinable reason
whatsoever?

~~~
gcp
Look at this way: pages using Vibrate won't necessarily obnoxiously vibrate
for no determinable reason.

But all of them will pop up the permission prompt.

------
userbinator
> It is not impossible to conceive of malicious code being able to exploit an
> unpatched browser flaw and overdrive the motor to destruction.

The vibrator motors used in phones are not that fragile and vibrate being
stuck on will more likely just annoy you and drain the battery faster than
usual -- that is, until you get annoyed enough to pull it out.

( _Maybe_ annoy you, as a quick search shows plenty of people who _want_ their
phone to vibrate continuously... for whatever reason.)

------
WiseWeasel
Most use of the vibrate API will obviously be malicious if it's implemented
without spam prevention; otherwise I won't be able to disable the feature fast
enough.

The only way this could be workable is if there were something like an HTML
meta tag for requesting vibrate support for scripts running from your domain,
and that would prompt a one-time dialog to white-list that domain for vibrate
support in JS.

------
crystaln
These are interesting hacks and there should probably be some ways to help
users avoid being deceived in this way.

However they don't have much to do with the introduction of the vibrate API.
What this assumes is that the phone vibration is something the user should or
could generally rely on to distinguish between genuine system functions and
fakes. That's just not true for many reasons.

------
exodust
I thought HTML audio couldn't be auto-played without first receiving a tap
from the user? If true, the fake phone call trick wouldn't be possible.

That's the limitation I noticed anyway when I had a quick go at an audio web
app a year ago. I couldn't get sounds to play on load without first a tap from
user - this was on iOS Safari anyway, I didn't test on other browsers.

~~~
judah
This is really a limitation on iOS, see my blog post on the subject here:
[http://debuggerdotbreak.wordpress.com/2012/06/12/apple-
pleas...](http://debuggerdotbreak.wordpress.com/2012/06/12/apple-please-fix-
html5-on-ios/)

It's a limitation that makes it quite annoying to build HTML5 audio apps,
which is what my startup does. I have several hacks in my code to accomodate
iOS's crippled HTML5 audio implementation.

------
sgarman
"No one cares about Windows Phone or BlackBerry - so I didn't test them."

Often these forgotten platforms have the most issues with
attackers/exploiters. There was just an article on here the other day about
the wave of Windows XP exploits we are bound to see now that it no longer gets
patched.

------
hartator
Can't wait for Adblock for IOS.

[However we get less annoying ads because safari don't play flash. Advertisers
are obviously moving to different kind of ads adapted to mobile. Anyway it's
reasonable to dread for the time that they'll catch up with the desktop ones.]

~~~
corobo
More annoying ads because they redirect to some random app in the store,
blanking the page in the process so you can't even go back to it

------
kordless
This could be another vector for transmitting data out of a device without
detection.

~~~
gcp
Without detection? Are you serious?

~~~
Semaphor
Without detecting that actual data is transmitted and not just some random
vibration.

I don't know how exact those motors are, but I could imagine it is possible
that even 2-3s of vibration could easily transmit a password.

------
robmcm
It's easy, just disable plugins!

oh wait...

------
coin
ASCII control-G all over again

