Print 18 comment(s) - last by jihadjoe.. on Jul 24 at 3:37 AM

  (Source: Google/AP)
Wearable electronics are undiscovered country in terms of security research

Wearable electronics are still in their very early stages in terms of commercialization, but already there’s been a fascinating attack on their security, demonstrated by Marc Rogers, the principal researcher at Lookout Mobile Security.
Mr. Rogers took Google Inc.’s (GOOG) Glass Explorer and exposed  a rather gaping hole in the device’s security.

Glass Explorer when it spots special QR codes (square shaped barcode-like stickers for smartphones and tablets) automatically can perform certain functions, such as visiting a URL.  But the trouble began when Google allowed the QR codes to be used as a setup tool, connecting the devices to a network over Wi-FI or BlueTooth. 
The idea seemed clever, given that setup would otherwise be onerous due to lack of a keyboard (the Glass Explorer can take voice input, input from a small trackpad on the side of the glasses, and input from glyphs such as QR codes, which it “sees”).  The issue was that Google never secured these setup-driven connection commands, allowing you to trick the glasses into visiting a nasty network.

By posting a malicious QR code, Mr. Rogers tricked the Android glasses wearable computer into connecting to his attack network.  He showed that such an attack could be used to monitor (using the software tool SSLstrip)  or even take complete remote control of the device exploiting known Android vulnerabilities (Mr. Rogers’ attack used an Android 4.0.4 vulnerability).

After revealing the vulnerability to Google on May 16, with information on the attack, Mr. Rogers was impressed to see Google cover the hole by June 4, with the XE6 firmware update.  That update fights the attack in different ways, including improving warning when connecting to a network via QR command.  More significantly the update turns off auto-scanning for QR codes.  Thus similar future attacks would require the user to first be choosing to scan an unknowingly malicious code, rather than the attack launching from a mere accidental glance at a malicious QR stuck somewhere.

While Mr. Rogers says he expects more vulnerabilities to be found in Google Glass Explorer before its public release, he’s impressed with Google’s patching time of under a month.  He remarks, "This responsive turnaround indicates the depth of Google’s commitment to privacy and security for this device and set a benchmark for how connected things should be secured going forward."

QR Glass Exploit
A mere stray glance at a malicious QR code could trigger the exploit, pre-patch.
[Image Source: Slashgear]

He says that the experience has convinced him that by the time the wearable – currently only available to developers – is launched at a lower cost to consumers (likely in 2014) – consumers will "be able to trust Glass … because it has been tested."

As for what’s next for Lookout, he plans to next investigate connected cars, environmental controls, and smartwatches (such as Sony Corp.'s (TYO:6758) SmartWatch 2) for exploits.  He expects more vulnerabilities to be found in such devices as companies try to work around the logistical hurdles of limited user interfaces, often turning to novel but risky solutions.  But he argues consumers shouldn’t fear the "internet of things" industry trend, remarking, "There’s a risk that we will get a little bit scared by new things, and there’s a risk that we could miss out on cool things [as a result]."

Sources: YouTube, SlashGear

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Let me upgrade me
By powerwerds on 7/17/2013 5:57:23 PM , Rating: 2
These glasses are inspiring for sure. I can't wait till this type of product is an actual eye ball upgrade. Either you'd be switching out one or both of your eyes to machine retina, or you'd be doing a little hot swap where a small cylindrical PC pops in or out of the center of your eye. The little PC takes care of all your digital functions such as your eye display, full multimedia export to any networked device you come across, downloading anything you needed, video recording, phone, in head audio, and that's just all way beyond the basic entry level device.

RE: Let me upgrade me
By MasterBlaster7 on 7/17/2013 8:03:57 PM , Rating: 5 go first.

RE: Let me upgrade me
By Motoman on 7/17/2013 8:35:17 PM , Rating: 4
Someone's been watching too much anime.

RE: Let me upgrade me
By Reclaimer77 on 7/17/2013 8:46:51 PM , Rating: 3
I know someone is working on a Google-glass type interface that utilizes contact lenses. That's as far as I'm willing to go. Straight up cyber-eyes? NO way lol.

RE: Let me upgrade me
By Argon18 on 7/18/2013 2:24:04 PM , Rating: 2
or Blade Runner.

RE: Let me upgrade me
By inighthawki on 7/17/2013 9:19:41 PM , Rating: 2
They have implantable contact lenses these days that sit underneath the cornea. Equipped with small enough electronics and some way to wirelessly communicate data, such a device could be feasible in the very near future and pose no health threat. these lenses are already removable with no permanent changes to the eye.

RE: Let me upgrade me
By crazy1 on 7/18/2013 7:55:06 AM , Rating: 2
There was research into using Pico projector technology to project images directly on the eyeball to cover your entire field of view. It was aimed at virtual realty gaming, but it could probably be modified to project notifications in your peripheral, and leave the rest of your vision alone. Unfortunately, the device would still probably look something like Google glass.

RE: Let me upgrade me
By inperfectdarkness on 7/19/2013 12:47:24 PM , Rating: 2
I'm thinking about getting metal legs. It's a risky operation, but it'll be worth it.

"If they're going to pirate somebody, we want it to be us rather than somebody else." -- Microsoft Business Group President Jeff Raikes

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki