July 17, 2013
Google Glass Security Glitch Found And Patched
Peter Suciu for redOrbit.com - Your Universe Online
Glass is designed to allow light in and for people to see through, but in the case of Google Glass it may have opened the door to a security vulnerability as well. The service is not even set for an official launch until the end of this year, but researchers at the mobile security firm Lookout reported that they have uncovered a vulnerability that could allow hackers to take control of the device using QR codes.
The device works much like a smartphone and can thus be used to read QR codes, which are used to direct a device to a particular website, WiFi network or Bluetooth device.
The problem, it seems, is that hackers could create a QR code that, once scanned by Google Glass, could open up the device to the hackers. This could then allow them to see all the connections running through the glasses-mounted computer. To gain this level of access, the hacker would have to create a QR code that would direct the user to an access point and give the hacker the ability to remotely control the eyewear device.
"Google took the pinnacle of smartphone technology and created a computer that you wear on your head," posted Marc Rogers on the Lookout blog. "Every time you take a photograph, Glass looks for data it can recognize - the most obvious are QR codes, a type of barcode that can contain everything from instructions to send an SMS or browse a website to configuration information that change device settings. Google took advantage of this capability to create an easy way for a user to configure their Glass without needing a keyboard."
"This is where we identified a significant security problem," Rogers continued. "While it's useful to configure your Glass QR code and easily connect to wireless networks, it's not so great when other people can use those same QR codes to tell your Glass to connect to their WiFi Networks or their Bluetooth devices."
Lookout analyzed ways to produce QR codes based on configuration instructions and produced its own "malicious" QR codes. When these were photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a "hostile" WiFi access point that Lookout controlled.
"That access point in turn allowed us to spy on the connections Glass made, from web requests to images uploaded to the Cloud," Rogers noted. "Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability that hacked Glass as it browsed the page."
Google has been commended by Lookout Security for promptly addressing the problem.
"We want to get Glass into the hands of all sorts of people, listen to their feedback, see the inspirational ways they use the technology, and discover vulnerabilities that we can research and work to address before we launch Glass more broadly," a Google spokesperson told the Telegraph.
Google Glass is reportedly in the hands of some 10,000 so-called "Explorers," as a way to work out issues and prepare the glasses for a public launch.