I Spy… a Security Loophole: Google Glass Cracks Exposed
Google Glass, a smartphone-like device worn like a pair of glasses, will be available for consumer purchase this fall.
Google Glass is still in limited release, but one security company has already detected a serious security loophole in the hands-free device.
Here's how it worked: When you took a picture with Google Glass, the Glass would automatically analyze the picture for recognizable images, such as QR (quick-response) codes.
QR codes are square-shaped designs of smaller black and white squares that scanners can read as a Web URL. They're often used in promotional campaigns — for example, a poster advertising a certain clothing line might include a QR code that links directly to the clothing line's website. Most smartphones now come preloaded with QR scanning apps.
If Google Glass users took a picture that happened to have a QR code visible in the background, the Glass would process that QR code as if the user had scanned it directly, and would attempt to link to the specified URL. If Glass wasn't previously connected to a Wi-Fi network, the act of trying to open a URL might cause Glass to search for available networks in order to complete the process.
This is a serious vulnerability, as criminals could create an open Wi-Fi network, stick it in a public place and then place a QR code in that public place that either directly or indirectly initiates a connection to that network.
If a Google Glass wearer happened to take a picture in that area that captured an image of that QR code, Google Glass would interpret the code as if the user had intended to scan it, and connect to that network.
If that were to happen, your Glass would be cooked: criminals could then use that connection to transmit malicious software, all without the user ever intending to connect to the network or even photograph the QR code in the first place.
Lookout Mobile Security discovered the vulnerability in May, and Google rolled out a patch on June 4. So, if you've been regularly updating your devices, your Glass is no longer on the line.
There have not been any reported instances of a Google Glass being compromised via this method, but Lookout did prove that it's possible in several field tests.
However, QR codes are a notorious security nightmare. After all, there's no guarantee that a QR code actually does what the surrounding text claims it does.
You can read Lookout's full analysis on its blog.
Google made the Glass available to select developers and journalists in February. The device will be available to consumers this fall.