Researchers find, Google fixes Glass hijack flaw
Google Glass is scheduled to be made widely available to regular consumers by the end of this year, so the Internet giant has still time to fix the most obvious security flaws before handing the device to undiscerning users.
One of these vulnerabilities is the one recently found by Lookout researchers and fixed by Google in less than 20 days, and concerns Glass’ ability to recognize and read QR codes.
“Every time you take a photograph, Glass looks for data it can recognize – the most obvious are QR codes, a type of barcode that can contain everything from instructions to send an SMS or browse a website to configuration information that change device settings,” the researchers explained.
Google believed that they found a good and easy way for users to configure their Glass devices, but the researchers have demonstrated that the same method can be misused by malicious individuals to hijack them.
“When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a ‘hostile’ WiFi access point that we controlled. That access point in turn allowed us to spy on the connections Glass made, from web requests to images uploaded to the Cloud,” they shared.
They were also ultimately able to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability that hacked Glass as it browsed the page, and ultimately to gain control over the device via web.
The researchers notified Google of the vulnerability mid-May, and the company fixed the issue by early June by taking into consideration the recommendations made by Lookout. The Glass’ camera is now able to identify QR codes only if the user changes the settings in order to allow it.
“The Internet of Things heralds a new era of technology—a future where everything is connected and we can interact with information in more intimate ways than ever before. By getting this right, we open up a world of new possibilities. By getting it wrong, we risk crippling it before that potential is ever realized,” says Lookout’s Marc Rogers.
He pointed out that companies with roots in software engineering are likely to be more adept at vulnerability identification and patching of a variety of devices connected to the Internet.
“Historically, software running on embedded devices has been called firmware and is usually installed at the time the device is manufactured and rarely, if ever, updated. We have a long way to go if we want to create a process which can manage the vulnerabilities found in billions of connected things.”