Another security weakness has been found with Google Glass. Using a QR code, security analysts at Lookout were able to force the Glass device to perform certain actions, such as sharing a user’s screen or joining wireless networks, without the user’s knowledge.
Google Glass is set to automatically process any QR code that the device’s camera detects; this is to help achieve the minimalistic design and interface. The moment Glass recognizes the command that the QR code contains, Glass executes it. All a hacker has to do is create malicious QR codes that commands Glass to do any number of actions. This is where Lookout created a QR code that forced Glass to initiate a Glass-cast, which is what a Google Glass user can see with a device connected via Bluetooth, without the user knowing. Theoretically, this could allow a hacker to completely spy on everything someone sees, including personal information and data, such as an ATM PIN or another secure data password.
Lookout pointed out to PC Mag that this is not too threatening as it first appears to be, as a hacker would need physical access to a pair of Google Glass in order to pair a device with Bluetooth. The hacker would also have remain pretty close to the user to keep getting the feed.
The QR code designed to force Glass to connect to Wi-Fi network, however, is a much more troubling problem. A hacker could monitor everything a user does with Glass while connected that network or even hack the device completely. For those of you unfamiliar with QR codes, they are those squares with black pixels that can be scanned with a smartphone or similar device. These are becoming more and more common on advertisements. A hacker could create one, print and copy it and post the copies anywhere. Someone could easily be tricked into scanning the code and giving up control of their Glass. Finding security issues has been an important part of the Explorer Edition of Google Glass and Google has been quick to fix these issues. In other news; another hacker successfully jail broke Google Glass a few months ago in May and pointed out some very serious security flaws that Google was able to address. Just two weeks after Lookout presented this QR code vulnerability to Google, the company updated Glass to prevent the device from automatically executing a command. Still, Google did not see QR codes as a potential avenue for an attack. Users should only scan a code if they know what it is going to do, right? Try telling the auto feature of QR scanning in Glass that!
[Image via: Slashgear]