Google has patched a vulnerability that attackers could exploit via QR codes to take full control of the wearable Google Glass devices.
Google I/O: 10 Key Developments
(click image for larger view and for slideshow)
Computerized eyewear users, say hello to visually delivered exploits.
To wit, Google has patched a vulnerability in its wearable Google Glass devices -- best known for their optical, head-mounted displays with built-in cameras -- that could be exploited via QR codes to hack into and take full control of the devices.
The vulnerability, discovered by Lookout Security, was serious because it could be silently exploited to fully compromise a Glass device simply by leaving a malicious QR code where a Google glass user might "see" it.
"Every time you take a photograph, Glass looks for data it can recognize -- the most obvious are QR codes, a type of barcode that can contain everything from instructions to send an SMS or browse a website, to configuration information that change device settings," said Marc Rogers, principal security researcher at mobile security firm Lookout, in a blog post. "Google took advantage of this capability to create an easy way for a user to configure their Glass without needing a keyboard."
But from a security standpoint, that counted as risky behavior. Because Glass was programmed to process every QR code that it detected, an attacker could abuse it by forcing the devices to connect to a malicious Wi-Fi access point or Bluetooth connection.
"We analyzed how to make QR codes based on configuration instructions and produced our own 'malicious' QR codes. When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a 'hostile' Wi-Fi access point that we controlled," Rogers said. "That access point in turn allowed us to spy on the connections Glass made, from Web requests to images uploaded to the cloud. Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 Web vulnerability that hacked Glass as it browsed the page."
Lookout privately reported the details of the bug to Google on May 16. In short order, Google patched the flaw with Glass update XE6, which was released June 4 and automatically installed on all Glass devices. "Lookout recommended that Google limit QR code execution to points where the user has solicited it," said Rogers. "Google's changes reflected this recommendation."
While the Glass QR vulnerability was discovered by security researchers -- and only exploited in a lab -- in the real world, attackers are already using fake QR codes as part of attacks. Most frequently, this involves tricking people into scanning the codes with their smartphone in exchange for the promise of free cash or other incentives, Jim Butterworth, CSO of security software and consulting firm HBGary, said in late 2012, while rounding up his predictions for the top information security trends to beware this year. "It's scary: [attackers] use open-source QR generators, then they put these things on billboards or ATM machines, promising $100 if you open a new account -- and it's all just to exploit [consumers]," he said.
Obviously, the Glass exploit would have eliminated the need for social engineering -- a.k.a. tricking -- targets. But it's a reminder that using smartphones to scan publicly encountered QR codes remains risky.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.