Credit: Reuters/Andrew Kelly
Maybe those geniuses who built Google Glass aren't so smart after all.
Researchers at Lookout Mobile have revealed an ingenious -- and extremely simple -- security flaw that could allow an attacker to take over the wearable device without its owner ever knowing. (Or at least attackers could do this until Lookout Mobile quietly notified Google and gave it enough time to fix it.)
[ Google to Microsoft: Patch faster, you slowpokes | For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter. | Get the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ]
Per Lookout Mobile principal security analyst Marc Rogers:
Every time you take a photograph, Glass looks for data it can recognize -- the most obvious are QR codes, a type of barcode that can contain everything from instructions to send an SMS or browse a website to configuration information that change device settings....
While it's useful to configure your Glass QR code and easily connect to wireless networks, it's not so great when other people can use those same QR codes to tell your Glass to connect to their Wi-Fi Networks or their Bluetooth devices. Unfortunately, this is exactly what we found. We analyzed how to make QR codes based on configuration instructions and produced our own "malicious" QR codes. When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a "hostile" Wi-Fi access point that we controlled. That access point in turn allowed us to spy on the connections Glass made, from Web requests to images uploaded to the Cloud. Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 Web vulnerability that hacked Glass as it browsed the page.
In other words, by putting the right QR codes in front of a Glasshole, Rogers & Co. were able to divert images captured by Glass to another device, and force it to automatically log onto other Wi-Fi access points. From there, pwning the device -- and any of the personal information contained within -- would be child's play.
It apparently never occurred to anyone at Google that setting Glass to automatically read QR codes and execute whatever commands are hidden inside them would be a less-than-stellar idea.
Old QR flaw haunts new Google devices
QR code attacks have been known since 2007; the first actual attacks were detected in the wild in September 2011. Back then, Kaspersky detected a QR code attack that would install malware on an Android handset, then cause the phone to send premium-rate texts charged to the mobile account. A year later, security researchers in Berlin revealed a vulnerability in Samsung Galaxy phones that could allow a malicious website to issue a factory reset of the unit. The attack could be triggered by a link inside a text message, near-field communications, or QR codes.
Despite all that, Google Glass was released into the wild earlier this spring and was set by default to execute any QR code that came within its geeky field of vision. I realize that the denizens of Google's X Labs probably live in a dungeon deep below the Googleplex and only come up for air one day a year on March 14 (Pi Day), but have they ever heard of this little thing called the Internet? They could Google it.