Google Glass Gets Patch To Avoid Hacks - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Devices

Google Glass Gets Patch To Avoid Hacks

Google has patched a vulnerability that attackers could exploit via QR codes to take full control of the wearable Google Glass devices.

Google I/O: 10 Key Developments
Google I/O: 10 Key Developments
(click image for larger view and for slideshow)
Computerized eyewear users, say hello to visually delivered exploits.

To wit, Google has patched a vulnerability in its wearable Google Glass devices -- best known for their optical, head-mounted displays with built-in cameras -- that could be exploited via QR codes to hack into and take full control of the devices.

The vulnerability, discovered by Lookout Security, was serious because it could be silently exploited to fully compromise a Glass device simply by leaving a malicious QR code where a Google glass user might "see" it.

"Every time you take a photograph, Glass looks for data it can recognize -- the most obvious are QR codes, a type of barcode that can contain everything from instructions to send an SMS or browse a website, to configuration information that change device settings," said Marc Rogers, principal security researcher at mobile security firm Lookout, in a blog post. "Google took advantage of this capability to create an easy way for a user to configure their Glass without needing a keyboard."

[ Is there something about Google that makes you feel invincible? See Chrome Users More Likely To Ignore Security Warnings. ]

But from a security standpoint, that counted as risky behavior. Because Glass was programmed to process every QR code that it detected, an attacker could abuse it by forcing the devices to connect to a malicious Wi-Fi access point or Bluetooth connection.

"We analyzed how to make QR codes based on configuration instructions and produced our own 'malicious' QR codes. When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a 'hostile' Wi-Fi access point that we controlled," Rogers said. "That access point in turn allowed us to spy on the connections Glass made, from Web requests to images uploaded to the cloud. Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 Web vulnerability that hacked Glass as it browsed the page."

Lookout privately reported the details of the bug to Google on May 16. In short order, Google patched the flaw with Glass update XE6, which was released June 4 and automatically installed on all Glass devices. "Lookout recommended that Google limit QR code execution to points where the user has solicited it," said Rogers. "Google's changes reflected this recommendation."

While the Glass QR vulnerability was discovered by security researchers -- and only exploited in a lab -- in the real world, attackers are already using fake QR codes as part of attacks. Most frequently, this involves tricking people into scanning the codes with their smartphone in exchange for the promise of free cash or other incentives, Jim Butterworth, CSO of security software and consulting firm HBGary, said in late 2012, while rounding up his predictions for the top information security trends to beware this year. "It's scary: [attackers] use open-source QR generators, then they put these things on billboards or ATM machines, promising $100 if you open a new account -- and it's all just to exploit [consumers]," he said.

Obviously, the Glass exploit would have eliminated the need for social engineering -- a.k.a. tricking -- targets. But it's a reminder that using smartphones to scan publicly encountered QR codes remains risky.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/19/2013 | 11:31:41 AM
re: Google Glass Gets Patch To Avoid Hacks
I hate QR codes, they look ugly and you have no idea where they take you. As far as Google Glass goes, that would be my least concern. I like to know how quickly the NSA can access live feeds from Google Glasses. That's way cheaper and more intrusive than PTZ cameras all over the place.
Cara Latham
Cara Latham,
User Rank: Apprentice
7/18/2013 | 12:35:09 PM
re: Google Glass Gets Patch To Avoid Hacks
This is why even with my smartphone, I hardly ever scan QR codes. How do people still fall for the "free cash" promise?
User Rank: Apprentice
7/17/2013 | 9:42:47 PM
re: Google Glass Gets Patch To Avoid Hacks
I'm waiting for someone to hack it to change the wake-up phrase from "OK Glass" to "Go Go Gadget."
User Rank: Apprentice
7/17/2013 | 8:34:07 PM
re: Google Glass Gets Patch To Avoid Hacks
It sounds more like an idea for a movie, "The Glance of Doom". Earnest young man, "No, Britney, don't look at it." "Look at what? This?" Screams ensue as her Glass projects an image of blood trickling down the lenses. LOL
Bart Riley
Bart Riley,
User Rank: Apprentice
7/17/2013 | 5:03:46 PM
re: Google Glass Gets Patch To Avoid Hacks
The real question is....who cares? Glass is a joke for any real application, and early adopters know that there are risks. The 100 people that use Glass get hacked....not a serious impact on the world.
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll