Hacker Exposes Gaping Hole in Google Glasses With Nasty QR Codes
July 17, 2013 4:45 PM
comment(s) - last by
Wearable electronics are undiscovered country in terms of security research
are still in their
very early stages
in terms of commercialization, but already there’s been a fascinating attack on their security, demonstrated by Marc Rogers, the principal researcher at
Lookout Mobile Security
Mr. Rogers took Google Inc.’s (
a rather gaping hole in the device’s security.
Glass Explorer when it spots special
(square shaped barcode-like stickers for smartphones and tablets) automatically can perform certain functions, such as visiting a URL. But the trouble began when Google allowed the QR codes to be used as a setup tool, connecting the devices to a network over Wi-FI or BlueTooth.
The idea seemed clever, given that setup would otherwise be onerous due to lack of a keyboard (the Glass Explorer can take voice input, input from a small trackpad on the side of the glasses, and input from glyphs such as QR codes,
which it “sees”
). The issue was that Google never secured these setup-driven connection commands, allowing you to trick the glasses into visiting a nasty network.
By posting a malicious QR code, Mr. Rogers tricked the Android glasses wearable computer into connecting to his attack network. He showed that such an attack could be used to monitor (using the software tool
) or even take complete remote control of the device exploiting
known Android vulnerabilities
(Mr. Rogers’ attack used an Android 4.0.4 vulnerability).
After revealing the vulnerability to Google on May 16, with information on the attack, Mr. Rogers was impressed to see Google cover the hole by June 4, with the
XE6 firmware update
. That update fights the attack in different ways, including improving warning when connecting to a network via QR command. More significantly the update turns off auto-scanning for QR codes. Thus similar future attacks would require the user to first be choosing to scan an unknowingly malicious code, rather than the attack launching from a mere accidental glance at a malicious QR stuck somewhere.
While Mr. Rogers says he expects more vulnerabilities to be found in Google Glass Explorer before its public release, he’s impressed with Google’s patching time of under a month. He remarks, "This responsive turnaround indicates the depth of Google’s commitment to privacy and security for this device and set a benchmark for how connected things should be secured going forward."
A mere stray glance at a malicious QR code could trigger the exploit, pre-patch.
[Image Source: Slashgear]
He says that the experience has convinced him that by the time the wearable – currently
only available to developers
– is launched at a lower cost to consumers (likely in 2014) – consumers will "be able to trust Glass … because it has been tested."
As for what’s next for Lookout, he plans to next investigate connected cars,
, and smartwatches (such as Sony Corp.'s (
) for exploits. He expects more vulnerabilities to be found in such devices as companies try to work around the logistical hurdles of limited user interfaces, often turning to novel but risky solutions. But he argues consumers shouldn’t fear the "internet of things" industry trend, remarking, "There’s a risk that we will get a little bit scared by new things, and there’s a risk that we could miss out on cool things [as a result]."
This article is over a month old, voting and posting comments is disabled
7/17/2013 9:22:40 PM
What does the number of cases of alzheimers have to do with sitting in front of a computer or wearing google glass?
7/18/2013 7:01:13 AM
He's confusing sitting in front of a computer/glass 24/7 with sitting in front of soap operas & reality shows 24/7.
"Paying an extra $500 for a computer in this environment -- same piece of hardware -- paying $500 more to get a logo on it? I think that's a more challenging proposition for the average person than it used to be." -- Steve Ballmer
Dell Exploring Wearable Device Offering
July 5, 2013, 1:26 PM
Apple Looks to Trademark "iWatch" in Japan
July 1, 2013, 11:18 AM
Sony Announces 6.4" 2.2GHz Xperia Z Ultra Smartphone, SmartWatch 2
June 25, 2013, 8:37 AM
No Ogling With The Google Goggles: "Tits and Glass" App Banned
June 4, 2013, 2:30 PM
USPS Wants to be More Digital-Friendly
January 16, 2013, 9:52 AM
Quick Note: New "Windows" Branding for Microsoft's Smartphones is Leaked
September 15, 2014, 2:00 PM
Sony Abandons Android Upgrade Support for Year Old Xperia and 3 Others
September 15, 2014, 11:07 AM
Apple Racked Up 4 Million iPhone 6, iPhone 6 Plus Pre-orders Within 24 Hours
September 15, 2014, 9:54 AM
Despite Massive Failure of Apple Store Website, "Record Number" of iPhone 6 Pre-orders Received
September 12, 2014, 1:19 PM
Quick Note: Motorola Set to Release Unlocked, “Pure Edition” of Second Gen Moto X
September 12, 2014, 12:37 PM
Grand Theft Auto V for Xbox One, PS4 Launches Nov 18; PC Version Lands Jan 27
September 12, 2014, 9:04 AM
Most Popular Articles
Apple Announces 4.7" iPhone 6, 5.5" iPhone 6 Plus
September 9, 2014, 1:45 PM
Apple Announces Its Smartwatch: The $349 Apple Watch
September 9, 2014, 2:09 PM
Appalling Negligence: Decade-Old Windows XPe Holes Led to Home Depot Hack
September 8, 2014, 8:58 PM
T-Mobile Launches Un-carrier 7.0, Beefs Up Wi-Fi Calling
September 11, 2014, 2:56 PM
HTC Preps Nexus 9 With Nvidia K1 64-Bit "Denver" SoC, Android L Onboard
September 10, 2014, 10:21 PM
Latest Blog Posts
Space Terrorism is a Looming Threat For the United States
Apr 23, 2014, 7:47 PM
Facebook Aims to Provide Internet to "Every Person in the World" with Drones, Satellites
Apr 1, 2014, 10:20 AM
Retail Mobile Sites Experience Outages in Light of Simplexity's Bankruptcy
Mar 14, 2014, 8:48 AM
Tesla vs. BMW: Who Has the Safer EV?
Feb 1, 2014, 2:56 PM
Justice Leaks Details of Next HTC One Two Flagship Phone
Dec 5, 2013, 4:04 PM
More Blog Posts
Copyright 2014 DailyTech LLC. -
Terms, Conditions & Privacy Information