Google Glass Gets Patch To Avoid Hacks - InformationWeek
Mobile // Mobile Devices
10:59 AM
Out of the Black Box: Selling Security to your C-suite
Jul 20, 2017
To maximize the return on cloud security investments, CISOs need a seat at the table. Unfortunatel ...Read More>>

Google Glass Gets Patch To Avoid Hacks

Google has patched a vulnerability that attackers could exploit via QR codes to take full control of the wearable Google Glass devices.

Google I/O: 10 Key Developments
Google I/O: 10 Key Developments
(click image for larger view and for slideshow)
Computerized eyewear users, say hello to visually delivered exploits.

To wit, Google has patched a vulnerability in its wearable Google Glass devices -- best known for their optical, head-mounted displays with built-in cameras -- that could be exploited via QR codes to hack into and take full control of the devices.

The vulnerability, discovered by Lookout Security, was serious because it could be silently exploited to fully compromise a Glass device simply by leaving a malicious QR code where a Google glass user might "see" it.

"Every time you take a photograph, Glass looks for data it can recognize -- the most obvious are QR codes, a type of barcode that can contain everything from instructions to send an SMS or browse a website, to configuration information that change device settings," said Marc Rogers, principal security researcher at mobile security firm Lookout, in a blog post. "Google took advantage of this capability to create an easy way for a user to configure their Glass without needing a keyboard."

[ Is there something about Google that makes you feel invincible? See Chrome Users More Likely To Ignore Security Warnings. ]

But from a security standpoint, that counted as risky behavior. Because Glass was programmed to process every QR code that it detected, an attacker could abuse it by forcing the devices to connect to a malicious Wi-Fi access point or Bluetooth connection.

"We analyzed how to make QR codes based on configuration instructions and produced our own 'malicious' QR codes. When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a 'hostile' Wi-Fi access point that we controlled," Rogers said. "That access point in turn allowed us to spy on the connections Glass made, from Web requests to images uploaded to the cloud. Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 Web vulnerability that hacked Glass as it browsed the page."

Lookout privately reported the details of the bug to Google on May 16. In short order, Google patched the flaw with Glass update XE6, which was released June 4 and automatically installed on all Glass devices. "Lookout recommended that Google limit QR code execution to points where the user has solicited it," said Rogers. "Google's changes reflected this recommendation."

While the Glass QR vulnerability was discovered by security researchers -- and only exploited in a lab -- in the real world, attackers are already using fake QR codes as part of attacks. Most frequently, this involves tricking people into scanning the codes with their smartphone in exchange for the promise of free cash or other incentives, Jim Butterworth, CSO of security software and consulting firm HBGary, said in late 2012, while rounding up his predictions for the top information security trends to beware this year. "It's scary: [attackers] use open-source QR generators, then they put these things on billboards or ATM machines, promising $100 if you open a new account -- and it's all just to exploit [consumers]," he said.

Obviously, the Glass exploit would have eliminated the need for social engineering -- a.k.a. tricking -- targets. But it's a reminder that using smartphones to scan publicly encountered QR codes remains risky.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/19/2013 | 11:31:41 AM
re: Google Glass Gets Patch To Avoid Hacks
I hate QR codes, they look ugly and you have no idea where they take you. As far as Google Glass goes, that would be my least concern. I like to know how quickly the NSA can access live feeds from Google Glasses. That's way cheaper and more intrusive than PTZ cameras all over the place.
Cara Latham
Cara Latham,
User Rank: Apprentice
7/18/2013 | 12:35:09 PM
re: Google Glass Gets Patch To Avoid Hacks
This is why even with my smartphone, I hardly ever scan QR codes. How do people still fall for the "free cash" promise?
User Rank: Apprentice
7/17/2013 | 9:42:47 PM
re: Google Glass Gets Patch To Avoid Hacks
I'm waiting for someone to hack it to change the wake-up phrase from "OK Glass" to "Go Go Gadget."
User Rank: Apprentice
7/17/2013 | 8:34:07 PM
re: Google Glass Gets Patch To Avoid Hacks
It sounds more like an idea for a movie, "The Glance of Doom". Earnest young man, "No, Britney, don't look at it." "Look at what? This?" Screams ensue as her Glass projects an image of blood trickling down the lenses. LOL
Bart Riley
Bart Riley,
User Rank: Apprentice
7/17/2013 | 5:03:46 PM
re: Google Glass Gets Patch To Avoid Hacks
The real question is....who cares? Glass is a joke for any real application, and early adopters know that there are risks. The 100 people that use Glass get hacked....not a serious impact on the world.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll