Google Glass Gets Patch To Avoid Hacks - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Devices

Google Glass Gets Patch To Avoid Hacks

Google has patched a vulnerability that attackers could exploit via QR codes to take full control of the wearable Google Glass devices.

Google I/O: 10 Key Developments
Google I/O: 10 Key Developments
(click image for larger view and for slideshow)
Computerized eyewear users, say hello to visually delivered exploits.

To wit, Google has patched a vulnerability in its wearable Google Glass devices -- best known for their optical, head-mounted displays with built-in cameras -- that could be exploited via QR codes to hack into and take full control of the devices.

The vulnerability, discovered by Lookout Security, was serious because it could be silently exploited to fully compromise a Glass device simply by leaving a malicious QR code where a Google glass user might "see" it.

"Every time you take a photograph, Glass looks for data it can recognize -- the most obvious are QR codes, a type of barcode that can contain everything from instructions to send an SMS or browse a website, to configuration information that change device settings," said Marc Rogers, principal security researcher at mobile security firm Lookout, in a blog post. "Google took advantage of this capability to create an easy way for a user to configure their Glass without needing a keyboard."

[ Is there something about Google that makes you feel invincible? See Chrome Users More Likely To Ignore Security Warnings. ]

But from a security standpoint, that counted as risky behavior. Because Glass was programmed to process every QR code that it detected, an attacker could abuse it by forcing the devices to connect to a malicious Wi-Fi access point or Bluetooth connection.

"We analyzed how to make QR codes based on configuration instructions and produced our own 'malicious' QR codes. When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a 'hostile' Wi-Fi access point that we controlled," Rogers said. "That access point in turn allowed us to spy on the connections Glass made, from Web requests to images uploaded to the cloud. Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 Web vulnerability that hacked Glass as it browsed the page."

Lookout privately reported the details of the bug to Google on May 16. In short order, Google patched the flaw with Glass update XE6, which was released June 4 and automatically installed on all Glass devices. "Lookout recommended that Google limit QR code execution to points where the user has solicited it," said Rogers. "Google's changes reflected this recommendation."

While the Glass QR vulnerability was discovered by security researchers -- and only exploited in a lab -- in the real world, attackers are already using fake QR codes as part of attacks. Most frequently, this involves tricking people into scanning the codes with their smartphone in exchange for the promise of free cash or other incentives, Jim Butterworth, CSO of security software and consulting firm HBGary, said in late 2012, while rounding up his predictions for the top information security trends to beware this year. "It's scary: [attackers] use open-source QR generators, then they put these things on billboards or ATM machines, promising $100 if you open a new account -- and it's all just to exploit [consumers]," he said.

Obviously, the Glass exploit would have eliminated the need for social engineering -- a.k.a. tricking -- targets. But it's a reminder that using smartphones to scan publicly encountered QR codes remains risky.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll