Remove or randomize serial numbers from WebUSB-accessible devices

[pes10k]

Currently sites can use WebUSB to try and get access to users USB devices. This is permission gated, so its a rare occurrence on the web, but must happen somewhere.

If you give a site access to a USB device, the site can learn the serial number for that USB device, which in some cases will be a fixed global identifier for your machine. We should probably remove, randomize or farble these serial numbers.

[LaurenWags]

@pes10k @pilgrim-brave could we please get a test plan for this one since it's labeled QA/Yes?

Marking as QA/Blocked until the above is sorted.

[pes10k]

okie i'll add one now, hope to have it done by the all hands

[pes10k]

@LaurenWags here ya go https://dev-pages.brave.software/fingerprinting/devices.html (the second test on the page)

[LaurenWags]

Thanks for the quick assistance @pes10k!

[MadhaviSeelam]

Verification PASSED using

Brave | 1.51.79 Chromium: 112.0.5615.49 (Official Build) beta (64-bit)
-- | --
Revision | bd2a7bcb881c11e8cfe3078709382934e3916914-refs/branch-heads/5615@{#936}
OS | Windows 11 Version 22H2 (Build 22621.1413)

Case 1: Shields Enabled (Default) - PASSED

1. Install 1.51.79
2. launch Brave
3. attached/inserted couple of USB devices to the laptop (keyboard, docking station)
4. visited https://dev-pages.brave.software/fingerprinting/devices.html in a new tab
5. keep the Shileds Up in the Shields panel
6. clicked on Query new device button in the WebUSB Serial number
7. selected Unknown device from Via Labs., Inc. and clicked connect
8. selected Unknown device from Chicony Electronics Co. Ltd. and clicked connect
9. selected ERGOKEY USB keyboard and clicked connect
10. clicked Query previously connected devices for the list of devices that are paired

Confirmed serial numbers are randomized for selected USB devices

Confirmed different serial numbers are shown on both test domains (Site 1 & Site 2)

Site 1: https://dev-pages.brave.software/fingerprinting/devices.html

ex	ex	ex	ex	ex

Site 2: https://dev-pages.bravesoftware.com/fingerprinting/devices.html

ex	ex	ex	ex

Case 2: Shields Down (Disabled) - PASSED

1. toggle Off in the Shields
2. click Other site for Disabled
3. follow steps from 5-9 steps Case 1

Confirmed serial numbers same on both test domains

Site 1: https://dev-pages.brave.software/fingerprinting/devices.html

ex	ex	ex

Site 2: https://dev-pages.bravesoftware.com/fingerprinting/devices.html

ex	ex

[pes10k]

This is an issue in the test, not the implementation. I'll fix the test but what your seeing reflects the feature working as expected. Please do not let this block the QA process

[pes10k]

(btw, the test should be fixed now)

[MadhaviSeelam]

@pes10k: thanks for the fix on test site (figured that could be). However, I have a question on Disabled scenario. Where would I disable them? I see Blocked setting but NOT Disable brave://settings/content/siteDetails?site=https%3A%2F%2Fdev-pages.brave.software. Is there a different place where I should be disabling?

ex	ex	ex

[pes10k]

@MadhaviSeelam if you want to remove access for these devices to this site, I think the only open you have in the "reset permission" button (or to clear all site storage for the site).

But for the test, by disabled, i mean shields disabled, not the USB devices disabled

[MadhaviSeelam]

@pes10k thank you! Didn't test with Shields Down but looked at Allow Finger printing while Shields Up. Wasn't sure that was the scenario to be tested. Now I see Allow Finger printing and Shields Disabled have same values.
Please review my verification notes if you don't mind.

[pes10k]

That all looks good and correct and expected. Thanks!

[stephendonner]

Sorry - tried to find a USB device which has/emits a serial #, but out of the only 6 I've tried and found at home so far, none have 🤷‍♂️ - @LaurenWags mind trying?

[LaurenWags]

Verified with

Brave | 1.51.87 Chromium: 112.0.5615.49 (Official Build) beta (x86_64)
-- | --
Revision | bd2a7bcb881c11e8cfe3078709382934e3916914-refs/branch-heads/5615@{#936}
OS | macOS Version 13.3.1 (Build 22E261)

Reproduced the issue using 1.50.114 on Release channel.
Saw same serial number for webcam on both test sites listed below with default shield settings.

Case 1: Shields Enabled (Default) - InProgress

1. Install 1.51.x
2. launch Brave
3. attached/inserted couple of USB devices to the laptop (keyboard, docking station)
4. visited https://dev-pages.brave.software/fingerprinting/devices.html in a new tab
5. keep the Shields Up in the Shields panel
6. clicked on "Query new device" button in the WebUSB Serial number
7. selected my webcam and clicked connect

Confirmed serial numbers are randomized for selected USB devices

Confirmed different serial numbers are shown on both test domains (Site 1 & Site 2)

Site 1: https://dev-pages.brave.software/fingerprinting/devices.html
Site 2: https://dev-pages.bravesoftware.com/fingerprinting/devices.html

Site 1	Site 2

Case 2: Shields Down (Disabled) - PASSED

1. toggled Shields Off for both Site 1
2. clicked on "Query new device" button in the WebUSB Serial number
3. selected my webcam and clicked connect
4. repeated above steps for Site 2

Confirmed serial numbers same on both test domains

Site 1	Site 2

---

Verification passed on

Brave	1.51.107 Chromium: 113.0.5672.63 (Official Build) (64-bit)
Revision	0e1a4471d5ae5bf128b1bd8f4d627c8cbd55f70c-refs/branch-heads/5672@{#912}
OS	Ubuntu 18.04 LTS

Case 1: Shields Enabled (Default) - PASSED

1. Install 1.51.x
2. launch Brave
3. attached/inserted couple of USB devices to the laptop (keyboard, docking station)
4. visited https://dev-pages.brave.software/fingerprinting/devices.html in a new tab
5. keep the Shields Up in the Shields panel
6. clicked on "Query new device" button in the WebUSB Serial number
7. selected my webcam and clicked connect

Confirmed serial numbers are randomized for selected USB devices

Confirmed different serial numbers are shown on both test domains (Site 1 & Site 2)

Site 1: https://dev-pages.brave.software/fingerprinting/devices.html
Site 2: https://dev-pages.bravesoftware.com/fingerprinting/devices.html

Case 2: Shields Down (Disabled) - PASSED

1. toggled Shields Off for both Site 1
2. clicked on "Query new device" button in the WebUSB Serial number
3. selected my webcam and clicked connect
4. repeated above steps for Site 2

Confirmed serial numbers same on both test domains

[hffvld]

Verified on Google Pixel 6 and Galaxy Tab S8 using version(s):

Device/OS: 
- Google Pixel 6 [oriole-user 13 TQ2A.230405.003.E1 release-keys]
- SM-X700 Galaxy Tab S8 [gts8wifixx-user 13 TP1A.220624.014 release-keys]
Brave build: 1.51.109 Chromium: 113.0.5672.63 (Official Build) (64-bit)

---

Shields ON - PASS

STEPS:

1. Launch Brave
2. Connect USB device (I have USB-C earphones) to the phone
3. Open https://dev-pages.brave.software/fingerprinting/devices.html in a new tab
4. Keep the Shields ON in the Shields panel
5. In the "WebUSB Serial Number" section tap on the "Query new device" button
6. Select attached device > Connect
7. In the pop-up message "Allow Brave to access ?" tap OK
8. Repeat steps 3 - 7, but this time open https://dev-pages.bravesoftware.com/fingerprinting/devices.html

ACTUAL RESULTS:

• Verified that the Serial number for the attached device is randomized for both URLs when Shields turned ON

Phone 1	Phone 2	Tab 1	Tab 2

Shields OFF - PASS

STEPS:

1. Launch Brave
2. Connect USB device (I have USB-C earphones) to the phone
3. Open https://dev-pages.brave.software/fingerprinting/devices.html in a new tab
4. Turn OFF the Shields in the Shields panel
5. In the "WebUSB Serial Number" section tap on the "Query new device" button
6. Select attached device > Connect
7. In the pop-up message "Allow Brave to access ?" tap OK
8. Repeat steps 3 - 7, but this time open https://dev-pages.bravesoftware.com/fingerprinting/devices.html

ACTUAL RESULTS:

• Verified that the Serial number for the attached device is the same for both URLs when Shields turned OFF

Phone 1	Phone 2	Tab 1	Tab 2