The WebUSB API lets you interact with the all USB transfer/endpoint types:
- CONTROL transfers, used to send or receive configuration or command parameters to a USB device are handled with controlTransferIn(setup, length) and controlTransferOut(setup, data).
- INTERRUPT transfers, used for a small amount of time sensitive data are handled with the same methods as BULK transfers with transferIn(endpointNumber, length) and transferOut(endpointNumber, data).
- ISOCHRONOUS transfers, used for streams of data like video and sound are handled with isochronousTransferIn(endpointNumber, packetLengths) and isochronousTransferOut(endpointNumber, data, packetLengths).
- BULK transfers, used to transfer a large amount of non-time-sensitive data in a reliable way are handled with transferIn(endpointNumber, length) and transferOut(endpointNumber, data).
This specification defines a way for the device to provide the UA with a set of static data structures defining a set of origins that are allowed to connect to it.
The methods above are the ways [TN: none really] in which this specification attempts to mitigate this attack vector for once the device is under the control of an attacker (for example, by uploading a malicious firmware image) there is nothing that can be done by the UA to prevent further damage.
This specification recommends device manufacturers practice defense in depth by designing their devices to only accept signed firmware updates and/or require physical access to the device in order to apply some configuration changes.
BUT YOU NEEDED PHYSICAL ACCESS TO SEND USB PACKETS BEFORE ANDROID NEEDS ROOT ACCESS FOR IT NOW YOU LET ANYONE WITH A WEBSITE SEND LOW LEVEL CONTROL TO ALL MY PERIPHERALS WHY