Firefox May Not Support WebUSB — But R's Proof-of-Concept Shows It Can Talk to USB Devices Anyway
Abuse of the Universal Second Factor (U2F) API delivers an alternative to WebUSB — but it's not a security vulnerability.
Pseudonymous "full-stack hacker" "R" has found a way to get around Mozilla's dislike of the WebUSB application programming interface (API), convincing the Firefox browser to communicate with a Raspberry Pi Pico over a USB connection — by abusing the Universal Second Factor (U2F) API instead.
"We finally got around to actually proving out a cursed idea for getting access to USB devices from Firefox (which refuses to support WebUSB)," R explains of the trick. "This approach is horrible and inefficient, but it allows access to a device without requiring any user intervention or permission prompts."
WebUSB is a draft-status standard for allowing web applications to communicate with USB devices connected to the host's computer, and is currently only implemented in browsers based on the Chromium engine. If you've ever used your browser to flash new firmware to a microcontroller, you've used WebUSB — but Mozilla's Firefox does not have, and may never get, support for the API.
What Firefox does have, however, is support for security keys, through the Universal Second Factor (U2F) specification. This includes accessing said keys over a USB connection — which is what gave R the idea for a hacky workaround.
The trick is simple: a custom firmware on a USB-connected microcontroller — in this case a Raspberry Pi Pico board with an RP2040 at its heart — pretends to be a U2F device, while a custom webpage pretends to be requesting authentication. Instead, it uses that channel to send commands to the microcontroller — turning an LED on or off depending on which button is pressed, in the simple demo.
"This cannot be used to access arbitrary USB devices," R notes. "It only works with devices which are intentionally breaking the rules. In essence, this is an intentionally vulnerable device. However, it is known that the security model around USB devices is generally… questionable on most platforms. Plugging in a malicious USB device allows it to do anything that you yourself can do with devices such as a keyboard or a mouse. Do not plug arbitrary unknown devices into your computer (or your phone, etc.)."
The project is documented in full, including source code under the permissive 0BSD license, on GitHub; additional information is available in R's Mastodon post.