1. Chrome allows silent enumeration of USB devices

    User consent is baked into the spec, but Google skips it.

    Via the Web MIDI API, Google Chrome (up to at least version 70) allows silent monitoring of all connected USB MIDI devices, such as MIDI keyboards and audio interfaces. While this enables interesting web applications such as software synthesizers, it also provides a new vector for shady ad networks and malicious actors to do very precise device fingerprinting and tracking. The API is trivial to access; for example run this in a JavaScript console:

    navigator.requestMIDIAccess({sysex: false})
            function(midiAccess) {
                for (var entry of midiAccess.inputs) {
                    var input = entry[1];
                    console.log('Found device: ', input.manufacturer,;
            function() { console.log('Error: no MIDI access'); }

    Assuming you have MIDI devices connected, this will output something like:

    MIDIAccess {inputs: MIDIInputMap, outputs: MIDIOutputMap, sysexEnabled: false, onstatechange: null}
    Found device:  Microsoft Corporation 3- UA-25EX
    Found device:  Midiman MIDIIN3 (Axiom Pro 61)
    Found device:  Midiman MIDIIN4 (Axiom Pro 61)

    From here, it's possible to listen for inputs on all connected MIDI devices (aka a MIDI keylogger!)

    Again, while Google most likely had noble intentions in providing this API, their implementation is half-assed. The Web MIDI Specification provides for a user consent step, similar to the confirmation dialogs that pop up around webcam access or push notifications, but Chrome skips over this and grants permission as soon as a script asks for it.

    Privacy implications

    On its face, the impact of allowing scripts to silently dump a list of USB MIDI devices seems minor—only a very small percentage of users will have MIDI keyboards or audio interfaces hooked up. But counterinuitively, this increases the privacy impact: because the number of users is small, Chrome's implementation of the Web MIDI API provides a new vector for very precise device fingerprinting.

    The Electronic Frontier Foundation (EFF) has a great write-up and demonstration of device fingerprinting techniques via their Panopticlick Project:

    When you visit a website, you are allowing that site to access a lot of information about your computer's configuration. Combined, this information can create a kind of fingerprint — a signature that could be used to identify you and your computer. Some companies use this technology to try to identify individual computers.

    To my knowledge, I don't believe EFF or anyone else has researched the impact of Web MIDI device leakage in the context of device fingerprinting. In practice, it seems like this could enable precise tracking of creative individuals in a manner that couldn't be blocked without disabling JavaScript entirely.

    Google can easily fix this!

    Again, the Web MIDI API provides a specification for user consent, and Google Chrome already has generic UI components to display user confirmation dialog prompts. It should be simple for them to implement a consent prompt and prevent malicious scripts from scooping up peoples' connected MIDI devices. While Google has a perverse incentive as the world's biggest advertiser to make it easier to track their users, again I believe the Chrome team had good intentions in setting up this API. They just did a bad job, and they should fix it.

    Posted 2018-10-20 12:14:00 PST by henriquez. Comments
  2. How the DEA covers up illegal evidence-gathering

    Secret phone records database used for “parallel construction” of evidence

    According to slides released by EFF, law enforcement agencies have been using Hemisphere, a secret phone records monitoring database, to build criminal cases against defendants and then cover it up by “fortuitously” happening across other evidence gained through legitimate channels. The 24-page slide deck describes the program, along with the elaborate techniques used to conceal the true source of evidence from judges, prosecutors and criminal defendants.

    Funded by the Office of National Drug Control Policy (ONDCP), the Hemisphere program is powered by a massive phone metadata monitoring database with advanced pattern-recognition algorithms designed to track individual targets, including location. Features include:

    • No need for a warrant! Near realtime-access to phone records and metadata

    • Pattern recognition to identify individuals, even when they change phones

    • Location information for “tracking targets and placing them in certain areas at certain times.”

    Sounds great, right? The only problem, which the presentation skillfuly dances around without explicitly acknowledging, is that it’s most likely illegal and unconstitutional. That’s why you “DO NOT mention Hemisphere in any official reports or court documents.” Instead, you use Hemisphere to gather the evidence you need, and then, by sheer luck, get the documents you need through official channels, or pull the right car over at the right place and right time. This is an evidence-laundering technique known as parallel construction, or as the Hemisphere presentation puts it, “Parallel Subpoenaing.” The presentation goes to great lengths to describe this, emphasizing how the program must remain secret.

    It's illegal.

    Under the U.S. Constitution, criminal defendants are entitled to due process of law, which means both that evidence against them must be obtained through legitimate means, and that they must be given a chance to challenge it in court. The Hemisphere program flies in the face of both of these requirements. Obtaining evidence through warrantless mass surveillance clearly violates the Fourth Amendment. Parallel construction conceals the true origin of evidence (illegally obtained evidence), making it impossible for defendants to challenge the practices of law enforcement agents.

    Under “Fruit of the poisonous tree” doctrine, if criminal evidence is gathered through illegal means, it’s inadmissible, and any further evidence obtained as a result of that evidence is also inadmissible. This is a legal precedent designed to prevent exactly what the government is doing with the Hemisphere program. On paper, our criminal justice system realizes that it’s better to let a few criminals walk free than allow the Constitutional rights of everyone to be systematically violated by shady law enforcement practices. Unfortunately, when evidence is concealed from the courts, it’s impossible for them to put a stop to this, and justice cannot be served.

    Posted 2014-09-14 04:19:00 PST by henriquez. 3 comments