Flaw could have forced users to connect to malicious Wi-Fi, but Google has fixed it
A flaw in Google Glass could have seen malicious QR codes used to connect the wearable device to Wi-Fi networks or devices run by hackers, researchers revealed today, claiming their findings had wider implications for the Internet of Things.
Having lured the user onto a phoney network, hackers could have then siphoned off information or executed further attacks. But Google has now patched the vulnerability, so the current batch of testers won’t be affected if they’ve updated their Android glasses.
Yet researchers believe their findings show how easy it is to manipulate new devices that contribute to the Internet of Things – in which connected devices talk to one another and carry out actions autonomously, purportedly to make everything more efficient.
Researchers at Lookout Mobile Security produced their own nasty QR codes, which, when photographed by an unsuspecting Glass user, forced Glass to connect silently to a “hostile” Wi-Fi access point.
This meant they could pilfer data and even direct a Glass user to a page serving up a known Android 4.0.4 exploit that hacked Glass as it browsed the page.
The problem was that Google Glass could be told to execute a QR code without the user having to give permission, Marc Rogers, principal security researcher at Lookout, told TechWeekEurope.
“In theory, this is a great idea. It means that in the future, you could buy a cup of coffee just by looking at a menu, or if you were in a foreign country, the menu would automatically translate to your language if you had Glass on,” Rogers added.
“On the flip side, it takes control away from you, and opens a window of opportunity for an attacker. Exposing sensitive data, or managing important configuration settings should only happen at the wearer’s request.”
There remain security issues with Google Glass, highlighted by the Lookout research. In particular the lack of a lock screen in Glass makes it vulnerable if left unnattended.
Lookout believes its research shows how easy it is to find flaws in connected devices, and how badly the so-called Internet of Things needs protecting.
“Our finding sends a strong signal: the world needs to keep ‘things’ secure in the same way that we secure other computers,” Rogers added.
He praised Google for its quick response in issuing a fix. The vulnerability was disclosed to Google on 16 May and a fix was issued on 4 June.
“That Google dealt with this in a quick and timely manner, gives us confidence about the security of this device moving forward,” Rogers added.
Non-malicious hackers have been trying to discover flaws in Google Glass since devices were released to testers earlier this year. In April, one researcher discovered a non-traditional way to jailbreak Glass, claiming it was simple to carry out and a serious security concern given the lack of a lock screen.
Still want to try wearable tech? Try our quiz!