Google Glass gets hit by hackers.
Google’s much buzzed-about wearable electronic hardware, a headset dubbed as “Google Glass,” hasn’t even been released to the public yet, but already, smart hackers are finding ways to manipulate the new-fangled device’s security flaws. One of those hackers—a principal researcher at Lookout Mobile Security named Marc Rogers—recently identified a security hole related to OR codes.
Rogers, who has the privilege of being one of the Google Glass beta testers, took his Glass Explorer device and used a malicious OR code—the term given to the increasingly-ubiquitous square-shaped barcodes designed for scanning with smartphones or tablets—to initiate a hostile attack on the glasses. Since Google Glass has no mouse or keyboard capability, there are things it does automatically in order to simplify the user experience. One of those automatic functions is the scanning of OR codes, not a big problem when those codes initiate promotional hyperlinking or Wi-Fi and BlueTooth set-up.
However, as Roger has proven with his experiment, not all OR codes lead to wholesome results. By creating an OR code that directed back to an attack network, and then using his Glass Explorer device to access that OR code, Rogers essentially lured the glasses into a trap. The attack network, which was built upon a list of known bugs in the Android operating system, then compromised the Android-powered Glass Explorer.
Rogers ran the tests and revealed the security flaw on May 16. Google took notice. By June 4, the company had responded with a firmware update designed to disrupt possible OR code attacks. For instance, the update keeps Google Glass from automatically scanning every OR code it sees, and even adds a warning function for whenever users do try to scan and access OR codes. In other words, a Google Glass user would now have to actively scan the OR code and then agree to open the website for Rogers’ attack scenario to be viable. Just as internet browsers have learned to avoid suspicious links around the web and in their email inboxes, Google Glass users will need to learn that not every OR code will win them a contest or link them to a useful page. The Google update merely limits the chances of someone accidentally accessing a malicious code.
Rogers was impressed with Google’s speed in producing a patch for the security flaw, and believes the company’s “responsive turnaround indicates the depth of Google’s commitment to privacy and security for this device and sets a benchmark for how connected things should be secured going forward.” While many have questioned the possible privacy and security issues inherent in wearable electronics and in Google Glass specifically, Rogers believes that Google is committed to proving the naysayers wrong: he thinks that when the device finally hits the streets, users will be able to trust it completely “because it has been tested.”
Leave a Reply