undefined | Better HN

Skip to content

Top Best Ask Show New Jobs

0 pointsKye4y ago0 comments

It was both surreal and concerning when I plugged in my new Launchpad X, went to Novation's website for their hardware tool, and got a firmware update directly from the page. I wish I had your confidence in the security practices of hardware companies. The growing IoT botnet swarm suggests it's misplaced.

0 comments

4 comments · 1 top-level

qbasic_forever4y ago· 3 in thread

How is it different from you downloading an executable binary from their site and running it? You're taking the same leaps of faith that the exe hasn't been tampered with, you haven't been man-in-the-middled, the developers of the exe wrote correct code, etc.

KyeOP4y ago

It's not Novation or the domain I distrust. It's the fact that it didn't have to ask for permission to connect. It just did it. I don't know if another site could just swoop in and drop a little firmware that makes my Launchpad show adorably profane things in a 64x64 grid. I can change permissions to require it to ask, but why isn't that default? It seems to be enabled now, but I don't know if that was me or a browser update.

RReverser4y ago

If it didn't even ask for permission, most likely it didn't use WebUSB, but connected via HTTP to a crappy local executable preinstalled by the vendor.

Such implementations exposing all sorts of critical stuff over local HTTP servers are often highly insecure, and are the very reason why WebUSB and other device APIs are being pushed as part of the browser.

qbasic_forever4y ago

You need to explicitly allow a site to access a device, it should pop up a dialog and ask the first time you initiate it: https://web.dev/usb/

You've got the same trust problem for any other exe you download and run though. Any steam game you play could reprogram your device to show profanity for example.

j / k navigate · click thread line to collapse