Mobile // Mobile Devices
News
7/17/2013
10:59 AM
Connect Directly
RSS
E-Mail
50%
50%

Google Glass Gets Patch To Avoid Hacks

Google has patched a vulnerability that attackers could exploit via QR codes to take full control of the wearable Google Glass devices.

Google I/O: 10 Key Developments
Google I/O: 10 Key Developments
(click image for larger view and for slideshow)
Computerized eyewear users, say hello to visually delivered exploits.

To wit, Google has patched a vulnerability in its wearable Google Glass devices -- best known for their optical, head-mounted displays with built-in cameras -- that could be exploited via QR codes to hack into and take full control of the devices.

The vulnerability, discovered by Lookout Security, was serious because it could be silently exploited to fully compromise a Glass device simply by leaving a malicious QR code where a Google glass user might "see" it.

"Every time you take a photograph, Glass looks for data it can recognize -- the most obvious are QR codes, a type of barcode that can contain everything from instructions to send an SMS or browse a website, to configuration information that change device settings," said Marc Rogers, principal security researcher at mobile security firm Lookout, in a blog post. "Google took advantage of this capability to create an easy way for a user to configure their Glass without needing a keyboard."

[ Is there something about Google that makes you feel invincible? See Chrome Users More Likely To Ignore Security Warnings. ]

But from a security standpoint, that counted as risky behavior. Because Glass was programmed to process every QR code that it detected, an attacker could abuse it by forcing the devices to connect to a malicious Wi-Fi access point or Bluetooth connection.

"We analyzed how to make QR codes based on configuration instructions and produced our own 'malicious' QR codes. When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a 'hostile' Wi-Fi access point that we controlled," Rogers said. "That access point in turn allowed us to spy on the connections Glass made, from Web requests to images uploaded to the cloud. Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 Web vulnerability that hacked Glass as it browsed the page."

Lookout privately reported the details of the bug to Google on May 16. In short order, Google patched the flaw with Glass update XE6, which was released June 4 and automatically installed on all Glass devices. "Lookout recommended that Google limit QR code execution to points where the user has solicited it," said Rogers. "Google's changes reflected this recommendation."

While the Glass QR vulnerability was discovered by security researchers -- and only exploited in a lab -- in the real world, attackers are already using fake QR codes as part of attacks. Most frequently, this involves tricking people into scanning the codes with their smartphone in exchange for the promise of free cash or other incentives, Jim Butterworth, CSO of security software and consulting firm HBGary, said in late 2012, while rounding up his predictions for the top information security trends to beware this year. "It's scary: [attackers] use open-source QR generators, then they put these things on billboards or ATM machines, promising $100 if you open a new account -- and it's all just to exploit [consumers]," he said.

Obviously, the Glass exploit would have eliminated the need for social engineering -- a.k.a. tricking -- targets. But it's a reminder that using smartphones to scan publicly encountered QR codes remains risky.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Bart Riley
50%
50%
Bart Riley,
User Rank: Apprentice
7/17/2013 | 5:03:46 PM
re: Google Glass Gets Patch To Avoid Hacks
The real question is....who cares? Glass is a joke for any real application, and early adopters know that there are risks. The 100 people that use Glass get hacked....not a serious impact on the world.
TreeInMyCube
50%
50%
TreeInMyCube,
User Rank: Apprentice
7/17/2013 | 8:34:07 PM
re: Google Glass Gets Patch To Avoid Hacks
It sounds more like an idea for a movie, "The Glance of Doom". Earnest young man, "No, Britney, don't look at it." "Look at what? This?" Screams ensue as her Glass projects an image of blood trickling down the lenses. LOL
classicalduck
50%
50%
classicalduck,
User Rank: Apprentice
7/17/2013 | 9:42:47 PM
re: Google Glass Gets Patch To Avoid Hacks
I'm waiting for someone to hack it to change the wake-up phrase from "OK Glass" to "Go Go Gadget."
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
7/18/2013 | 12:35:09 PM
re: Google Glass Gets Patch To Avoid Hacks
This is why even with my smartphone, I hardly ever scan QR codes. How do people still fall for the "free cash" promise?
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
7/19/2013 | 11:31:41 AM
re: Google Glass Gets Patch To Avoid Hacks
I hate QR codes, they look ugly and you have no idea where they take you. As far as Google Glass goes, that would be my least concern. I like to know how quickly the NSA can access live feeds from Google Glasses. That's way cheaper and more intrusive than PTZ cameras all over the place.
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.