R
Show HN
Show HN: I built an HTML5 RTL-SDR application
There are lots of RTL-SDR applications, but you have to install them. I used the HTML5 USB API that exists in Chrome (did you know about it?) to build one that you can run straight from your browser, on your computer or your Android phone.
it's a chrome application not an html5 one. It only works on one browser (and its forks) because it uses proprietary, nonstandard apis.
> because it uses proprietary, nonstandard apis

What are the other APIs to have USB access?

there isn't a browser based usb api. It's as simple as that. You're coding for chrome, not the web
Chrome, edge, opera, brave and many more. Just Safari doesn't support it, as always lagging behind. Firefox is out of the equation long ago.
yes.... all of those are google chrome with lipstick. Doesn't change the fact that it is not a web standard.
> Doesn't change the fact that it is not a web standard.

Let the "Safari not Supported" era begin!

or firefox
Write a proper GUI application.
nit: The WebUSB API isn't really a part of "HTML 5"

https://wicg.github.io/webusb

The correct definition for WebUSB is "Chrome API", as no other browser intends to implement it.
Edge supports WebUSB.
Edge is just a Chromium fork, though.
Yes, but so is Chrome and many other browsers.
  • M95D
  • ·
  • 2 weeks ago
  • ·
  • [ - ]
You shouldn't treat them as different brosers. They're just skins.
They're chromes (because that's what the UI portion is called)
I don't think that's true. They are different enough.
we're talking about the engine, not the skin put on it. They're only different in the ui
Chrome-only is not correct either and that's what Chrome API sounds like
“Chromium API” then.
`<radio-receiver></radio-receiver>` let's get that in html6!

Nice use of web components!

HTML is a living standard. There likely won't ever be a "html6".

https://html.spec.whatwg.org/multipage/introduction.html#his...

It's a living standard for today, but no one knows what tomorrow brings
Yeah, that is why I said likely.
Exactly. And there is no HTML5, either.
I wish Firefox would implement this API too, it's been years.
Mozilla's position is to not implement this API due to security and privacy concerns, and I agree with them on that even though I'd really like to use this API too.
Given that it's been available in Chrome for 7 years, if there were any security and privacy concerns we should be able to point to at least one abuse of this API right?
I'd say predicting instances of abuse of this API is tied to usage of the API, not existence of the API. I'd argue it's extremely generous to say we'd see a case of abuse after 10 deployments of this API. Can we point to at least 10 deployments of this API?

[Ed.:] https://github.com/webusb/awesome lists applications using this API. It's 11≈14 depending on how you count. Most of them are pretty fringe, except arguably the 3 update/flash tools and maybe the Android mirror.

I'm not sure I'd expect to have seen a case of abuse here yet.

That doesn't make any sense. The API is available for abuse independently of how many legitimate users there are.

Or are you thinking only about attacks where the attackers have a genuine reason to ask for USB access? Because IMO that is going to pretty rare, and also not very interesting because in those cases the alternative is you download an executable with unlimited permissions.

But in any case it makes no difference. If the API has been available to 75% of users for 7 years, it's downright idiotic to think making it available to 77% of users will make a difference.

I'd argue that:

- a large part of privacy issues only exist under legitimate use cases

- a comparatively smaller but still relevant part of security issues would involve attacking (e.g. code injection) a legitimate web application (which the user may already trust) as a first step, and progressing from there

- the fact that such few genuine use cases exist makes users much less likely to accept any illegitimate use, since it will be a permission request box that they have never seen before and haven't been desensitized to

Yeah... It's an accident waiting to happen with someone's security key. (Yes, I'm aware chrome tries to protect that one... for now) We really need more intentionality around hardware use. There's many SDR apps already packaged for all systems. Stop trying to juggle chainsaws, please!
The UI makes it very obvious as you have to select a device.

Anyone who is worried, including corporations, can disable it.

The UI also very temptingly looks like all the website can do is use the device for its intended function, because that's how normal users think and how it should work. But most devices were built with an assumption of trust between the driver and hardware, and now suddenly there's a security boundary there. With this there's an untrusted agent interacting with a device that may have vulnerabilities, which can itself then also interact with vulnerabilities the host may have towards USB devices.

It's not that this can't be done, it's that this is changing the rules that existing security is built on.

I would try to make it work with whitelists and/or restricting the functionality to browser add-ons rather than plain websites. Both add extra checkpoints where some security can be added back in, or rather perform this "weakening" of the previous security boundary in a more controlled manner.

What's the difference between a website accessing the USB device, and downloading an app that accesses it? (Apart from the website being more convenient and cross platform.)

To put it another way, why is it ok to trust Arduino.exe but not Arduino.com?

- People have been trained to understand downloading and executing an "Arduino.exe" is potentially dangerous and that they need to check if they trust the source

- most OSes expect a digital signature on "Arduino.exe" these days

- there's a whole ecosystem of protection and antivirus software that attempts to detect malicious use

- depending on your OS, an "Arduino.exe" can't even access USB devices without an additional signed driver and/or further administrative privileges

- a code injection attack against "Arduino.exe" is much harder; unlike "Arduino.com" which can load entirely different on each visit, you need to exploit an (easier to protect) auto-update mechanism. (Depending on the use case, an application can also be just fine without an update mechanism.)

- "Arduino.exe" isn't built on an ecosystem that routinely loads 3rd party code from outside sources

And to repeat, I don't think WebUSB in general is a bad idea. I'm arguing the security model should be more restrictive; that's why I suggested:

> I would try to make it work with whitelists and/or restricting the functionality to browser add-ons rather than plain websites.

The browser add-on ecosystem is IMHO a better framework to build something like WebUSB in, but to be fair I haven't spent thought on a more in-depth evaluation of this. Also note that there's good precedence for whitelist systems, e.g. in WinUSB the USB device itself can already do some signalling. (But that doesn't work for older USB devices and has its own can of worms…)

> depending on your OS, an "Arduino.exe" can't even access USB devices without an additional signed driver and/or further administrative privileges

Which OS are you thinking of? WebUSB doesn't need any additional drivers, so if the browser can do it I assume any app can do it.

The extra friction is a feature. People just click through popups that stop them from doing things in existing apps and on the websites. I'm sure I've accidentally allowed something before just because an element was underneath before the popup.

On the other hand, you don't accidentally install an app.

> What's the difference between a website accessing the USB device, and downloading an app that accesses it?

Arguably the browser is far more secure. A hypothetical "Arduino.exe" can access anything, not actually select the USB device the user selected due to a bug.

> Arguably the browser is far more secure.

The browser is far more secure because everything it allows access to is tightly controlled, in most cases by scoping it to the website. Even if you grant persistent camera/microphone access, it remains scoped temporally: you need to have the website opened up.

An USB device fundamentally does not support this security model. Code that can interact with an USB device can put persistent state on it without any checks enforced upon it. That USB device may later interact with other (bug-laden) code on the same system, or even worse, be moved to a different host entirely, with a different OS stack there, and trigger interactions there.

Yes, the browser is far more secure — because it has very few (anti-)features like this. I'm incredibly happy that WebUSB is not particularly commonplace to use. Having secure browsers is more important to me than the convenience of USB access from websites.

The problem isn't the UI, the problem is that like all software, browsers have bugs, and a CVE in this part of the code base could have catastrophic consequences. Chromium and its derivatives are highly reviewed code bases, both by good and bad actors, and there's still a considerable list of CVEs every year.
> The problem isn't the UI, the problem is that like all software, browsers have bugs, and a CVE in this part of the code base could have catastrophic consequences. Chromium and its derivatives are highly reviewed code bases, both by good and bad actors, and there's still a considerable list of CVEs every year.

That is an argument against any feature whatsoever beyond maybe a JS-free links/lynx browser. The worse browser bug is a sandbox escape that can obtain root privileges. This has been done by exploiting many different JS features. USB communication is not more of a hazard than webgl or setTimeout().

> USB communication is not more of a hazard than webgl or setTimeout().

It is though. setTimeout is very limited. WebGL does lots custom allocations which are ripe for exploits (like the native arrays in JS). USB has all that + the scope of every device plugged in which may come with its own issues.

Good!
Awesome! There's so much you can do with the browser now. Thanks for making an SDR app that's "gone native."
I'm unable to get it to work with my receiver (setRegBuffer failed block=0x600 reg=74, Caused By: RadioError.UsbTransferError: USB write failed value=0x74 index=0x610 status=stall), but I love the idea!

Looking forward to a local webusb+rtlsdr based Flightradar.

Is your stick an RTL-SDR Blog V4? Because it looks like the failure happens when accessing a R828D tuner, which should be supported.
Unfortunately I don't know what device it is. Would a lsusb help?
If you don't know, it probably isn't; they brand it quite extensively both outside and in the USB manufacturer strings (it appears as "Blog V4" in the device selection window.)

If it is indeed not one of them, I'd be interested in getting one to test on, so I'd like to know where you got it from. Can you email me? My address is trivial to find or figure out knowing my website is https://jacobo.tarrio.org :-)

I took a closer look. It's a Hama Nano DVB-T (00053330), over a decade old.
Ah yeah, E4000 tuner, those were hard to come by even 10 years ago, so I didn't support them. Only R820 and R828 and compatibles...
This is awesome, great work! Is there anywhere I can follow development on this? I'm really interested in seeing this evolve.
I don't have a dedicated place for announcements and such, but I post on my Bluesky whenever there's a major improvement (@jacobo.tarrio.org).

And you can always star it on GitHub: https://github.com/jtarrio/radioreceiver

Awesome, thank you
Do you plan on expanding the functionality?

It is really amazing how flawless it work. You should do a blog post describing how you did it.

Yes, next up is frequency/band management. Recording will come later. Later still, who knows :-)
Awesome! On mobile now but intend to try it with my HackRF later. Anything to consider, or should work fine?
That it only supports rtl-sdr sticks, not HackRF. So the HackRF will not work.
What's the benefit in using a browser for this?
This is cool!
Excellent work!
Wow that’s cool