Malicious Use of the HTML5 Vibrate API
There is a new API in town! HTML5 will (soon) let you make the user's device vibrate. What fun! Obviously, it's useful for triggering alerts, improved immersivness during gameplay, and all sorts of other fun things like sending Morse Code messages via vibration.
At the moment, Chrome (and other Android browsers) ask for permission before accessing features such as geo-location, camera, address book etc. This is a security measure to prevent your private information leaving your hands without your knowledge.
At the moment, accessing the HTML5 Vibrate API doesn't trigger an on-screen warning. Its use is seen as pretty innocuous. Because, realistically, the worst it can do is prematurely drain your battery. Right?
I'm not so sure.
Evil Thoughts
We've all seen those scummy adverts designed to look like Windows pop-ups. They usually pose as a legitimate system request - "Update Java" or similar.
Suppose a malicious web page pops up a fake system notification and vibrates at the same time. How confident would you be of telling the difference between a legitimate pop-up and a .png on the web page you're viewing. After all, the phone buzzed - so it must be genuine.
Are you really receiving an "AirDrop" - or is this page trying to trick you?
Autoplaying sound on adverts in annoying - auto-vibration could be just as irritating. Imagine searching through tabs until you found the single advert which was pulsing away trying to get you to buy new insurance.
For now, the intensity of the vibration cannot be controlled - only the duration. It is not impossible to conceive of malicious code being able to exploit an unpatched browser flaw and overdrive the motor to destruction.
Faking Telephone Calls
When combined with HTML5 Audio, it would be possible to create a fairly realistic "Incoming Call" screen which vibrated and played a ringtone. Once "answered", the page could play some audio which says "Hi, can you call me back urgently - my number is [premium rate line]" and then, perhaps, automatically open up the dialer using the tel: URI.
Could you tell if the above was a real phone call? If you looked closely, probably, but when the browser is playing your phone's default ringtone and the handset is vibrating, it would be pretty easy to be confused. Combine it with a WebRTC call and you're looking at a very convincing scam.
Video Demo
Source Code
Here's a basic example which you can try on your own phone - demo site.
<body>
<script type="text/javascript">
navigator.vibrate = navigator.vibrate || navigator.webkitVibrate || navigator.mozVibrate || navigator.msVibrate;
navigator.vibrate([1000, 500, 1000, 500, 1000, 500, 1000, 500, 1000, 500, 1000, 500, 1000, 500]);
</script>
<img width="100%" src="phone.png" onclick="window.location.href='tel:09098790815';" />
<audio autoplay="autoplay">
<source src="ring.mp3" />
</audio>
</body>
At the moment, the auto-vibrate and auto-ring only work on Firefox for Android. But no doubt other browsers will follow suite soon.
Warnings
Firefox was the only browser I found which supported Vibrate - on Android, neither Samsung's browser, Chrome, or Opera did - iPhone also doesn't yet support it. No one cares about Windows Phone or BlackBerry - so I didn't test them*.
Firefox doesn't currently ask for permission when a page requests access to vibrate.
Do you think browsers should warn before a page vibrates - or is the risk too low? I guess we'll have to see if the scammers take advantage of it - and whether there is a user backlash.
*Update: thanks to the comments on Reddit and on HackerNews it would appear that BB10 does support the vibrate API, Windows Phone doesn't.
How to make the Watchy vibrate
Re "Imagine searching through tabs until you found the single advert which was pulsing away trying to get you to buy new insurance.", the vibration API spec is pretty clear that you should only vibrate from a visible Web page. And I expect that if vibration proves to be used annoyingly, browsers may end up providing easy way to mute "web sites", or even handle them as they have handled pop ups.
Re unpatched browser flaw destroying the motor, it would also have to be on an OS that doesn't prevent applications to do so; and if one starts from a flawed browser, then no permission grant in the world would change anything to the problem (because you could then also assume that that permission grant could be buggy).
While vibration may add credibility to your (clever) pseudo-call attack, arguably the audio and visual aspects are sufficient to make it convincing on its own. I think the real attack vector here is that calling an innocuous looking number can cost you money.
I guess the case can be made that users don't expect Web pages to have certain capabilities, and the surprise this creates can be exploited maliciously; but that's probably true of any new capability, and unless we want to gate any such new capability behind a browser prompt, this is probably unavoidable.
See also some of my recent research on browser permission management: http://lists.w3.org/Archives/Public/public-web-mobile/2014Jan/0001.html
Thanks for your comment. I agree that some scenarios are unlikely. Its real danger, as you've identified, is that unexpected behaviour can lend credence to an otherwise obvious attack. For example, if you take a look at this fake "Android virus alert" - how much more convincing would it be if the phone vibrated with its "alert"?
It will be interesting to see how this develops - and I look forward to reading more about the permissions model.
T
Craptastic says:
Glen says:
Michael van Ouwerkerk says:
* Navigates away
* Reloads the page
* Switches to a different tab
* Closes the tab
* Sends the browser to background
* Turns the screen off
It should also not start at all if vibration is turned off for the phone as a whole i.e. it's on silent.
There are also limits to how long the device will vibrate.
Try it out here: http://jsbin.com/UKamoNID/1
Also, if the user doesn't like the page, he can close it and not go there again. It is the most basic way of user control in a browser, and proven to be quite effective. If it turns out that this feature really does get abused a lot, like browser popups did, then we'll have more data. This would give better insight into how to counter the abuse without degrading the user experience for valid usage.
a@mailinator.com says:
jnesselr says:
Of course, redirecting ads are a big problem with mobile anyway. I hate when I'm on a site and suddenly Google play pops up because some ad redirected me. One of these ads could easily tell me I need to download something to improve my phone. That app could install apps itself if it had the right permissions.
Below Standards says:
I'm fine with the API, it's up to the browsers to provide a mechanism to turn it off.
You're right that the call has to be initiated - but it could just as easily be a premium rate SMS, or a prompt to install some malware, etc.
I very much agree that vibration allows you to get the user's attention much better than without it, but I am not sure about the credibility aspect of it. In essence this is like a fake browser toolbar and a ping sound - or a desktop notification like Chrome has with a ping sound.
My fave fake interface lately was this: https://www.youtube.com/watch?v=3SKDbmQosfg
joe says:
Hellman Holst says:
After all, can you really stop someone malicious from doing malicious things ? I don't think the "ask for permission popup" model would offer us a better guaranty...
me says:
kuku says:
The ads just hijack the hyperlink and until a state that I want to throw the phone out of the window or smash it with a hammer....
subs says:
Although 'not impossible'- pretty close. Lots of good stuff in this post and the comments, but when you get a bit preachy and come up with something like the line above, it detracts from the more reality-based parts of the post.
Terence Eden says:
http://www.androidcentral.com/stagefright
SItes as they make the phone vibrate continuously.. . .i surely not a normal thing to experience. SO yes its a site we should be far away from.. .but take it as we entered a site i mean just selected it on android and suddenly phone vibrated.. .now we closed the page then the app and not pressing any popups. . .by this way is our phone safe..!!
i have faced this year bck and now just 5 min bck.. . .nd i did that what i said above so.. .m i good now..!Other !!
Other question is ...will it harm my device or corrupt some files..or a virus to enter ????
Terence Eden says:
Yokozuna says:
Unfortunately, Apple, Google, Microsoft and now, W3C, believe that we humans are too stupid to participate in the management of the devices and services that we purchase from them. Well, as evidenced by the hundreds of thousands of complaints made by tens of thousands of users who are disenfranchised by these ignorant, harmful design decisions, the system is not working.
garywzh says:
F**K HTML5
year after a year, this SHIT is STILL happenning
RavanH says: