QR Vulnerability Discovered in Google Glass

th21-1280-google-glass-macroIt was simply a matter of time before a defect was found in Google Glass, and it seems that time has arrived.  According to mobile security firm Lookout, Google patched a QR vulnerability on the device that allowed hackers to access user data.

As the ones who identified the vulnerability, Lookout says the findings were disclosed to Google on May 16. By June 4, the issue was fixed and all updates were released.

Google Glass is a new smartphone technology that users can wear on their head. The device is capable of translating foreign languages, identifying buildings and providing their history all with one glance. Essentially, every time a photo is taken with Glass, the device looks for data it can recognize in order to relay the information back to the user.

The easiest for Glass to recognize are QR codes, a barcode generally found on ads that contains everything from instructions to send an SMS or browse a website to configuration information that change device settings. Google took advantage of this capability to give users a new way to easily configure their Glass without needing a keyboard.

The issue with this, however, is that now the device is susceptible to potential security problems such as other people using QR codes to tell Glass to connect to their WiFi networks or Bluetooth devices. Unfortunately, in this case, this is precisely what Lookout found.

“We analyzed how to make QR codes based on configuration instructions and produced our own ‘malicious’ QR codes,” wrote Marc Rogers, principal security researcher at Lookout, in an official blog post. When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a ‘hostile’ WiFi access point that we controlled.”

“That access point in turn allowed us to spy on the connection Glass made, from web requests to images uploaded to the cloud. Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability that hacked Glass as it browed the page,” Rogers added.

This method of delivery, according to Rogers, is unique only to Glass “as a consequence of it becoming a connected thing.”

Lookout says they suggested to Google to limit QR code execution to point where the user has solicited it. The updates released reflect this recommendation, according to the firm.

The future of connected devices, however, doesn’t look so scary, as Google’s quick turnaround suggests a commitment to privacy and security.

Leave a Reply