People who live in Google Glass houses shouldn’t throw stones

Maybe those geniuses who built Google Glass aren’t so smart after all.

Researchers at Lookout Mobile have revealed an ingenious — and extremely simple — security flaw that could allow an attacker to take over the wearable device without its owner ever knowing. (Or at least attackers could do this until Lookout Mobile quietly notified Google and gave it enough time to fix it.)

[ Google to Microsoft: Patch faster, you slowpokes ]

Per Lookout Mobile principal security analyst Marc Rogers:

Every time you take a photograph, Glass looks for data it can recognize — the most obvious are QR codes, a type of barcode that can contain everything from instructions to send an SMS or browse a website to configuration information that change device settings….

While it’s useful to configure your Glass QR code and easily connect to wireless networks, it’s not so great when other people can use those same QR codes to tell your Glass to connect to their Wi-Fi Networks or their Bluetooth devices. Unfortunately, this is exactly what we found. We analyzed how to make QR codes based on configuration instructions and produced our own “malicious” QR codes. When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a “hostile” Wi-Fi access point that we controlled. That access point in turn allowed us to spy on the connections Glass made, from Web requests to images uploaded to the Cloud. Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 Web vulnerability that hacked Glass as it browsed the page.

In other words, by putting the right QR codes in front of a Glasshole, Rogers & Co. were able to divert images captured by Glass to another device, and force it to automatically log onto other Wi-Fi access points. From there, pwning the device — and any of the personal information contained within — would be child’s play.

It apparently never occurred to anyone at Google that setting Glass to automatically read QR codes and execute whatever commands are hidden inside them would be a less-than-stellar idea.

Old QR flaw haunts new Google devices

QR code attacks have been known since 2007; the first actual attacks were detected in the wild in September 2011. Back then, Kaspersky detected a QR code attack that would install malware on an Android handset, then cause the phone to send premium-rate texts charged to the mobile account. A year later, security researchers in Berlin revealed a vulnerability in Samsung Galaxy phones that could allow a malicious website to issue a factory reset of the unit. The attack could be triggered by a link inside a text message, near-field communications, or QR codes.

Despite all that, Google Glass was released into the wild earlier this spring and was set by default to execute any QR code that came within its geeky field of vision. I realize that the denizens of Google’s X Labs probably live in a dungeon deep below the Googleplex and only come up for air one day a year on March 14 (Pi Day), but have they ever heard of this little thing called the Internet? They could Google it.

Google, which has enjoyed a healthy heap of schadenfreude at Microsoft’s ongoing inability to patch security holes in a timely fashion, must be scraping some spaetzle off its face right about now. Fortunately for Google, somebody else uncovered the hack before the hackers did (we think). Also fortunately for Google, Lookout Mobile is just a wee bit more generous when it comes to notification than Google is. The G-security geeks recently decided to give other companies a week to respond to critical security flaws before going public with the information; Lookout Mobile gave Google at least two weeks.

Yes, I know, no device is immune from attack. But Google Glass is especially sensitive because it’s both more personal and more public than even a cellphone. As the first true wearable computer, Glass is an extension of our physical senses, augmented reality for the eyes. As a device that can surreptitiously record and upload anything that falls within its field of vision, Glass also affects anyone who comes in contact with it.

As PCMag SecurityWatch blogger Max Eddy notes, Glass is ultimately just another Android device, which don’t have a sterling reputation when it comes to security:

The huge amount of information available with a worn device could be a tempting target. … This could include banking login information, two-factor authentication codes, or possibly extorting money from a victim by capturing embarrassing video.

Even mundane visual information — like what products you look at, or things in your home — could be valuable to advertisers and attackers.

In other words, this is the kind of gizmo that should be more secure than our smartphones and laptops, not less.

For me, this raises two questions:

1. What other Glass hacks are out there we don’t know about yet?
2. What hacks would we like to see?

Hacks you can use

Personally, I’d welcome a hack that sends a small electric shock through the brain of any geek who suggests that wearing Glass is more “manly” and less effeminate than using a smartphone. Even better: One that causes overprivileged Silicon Valley venture capitalists a sudden attack of humility, coupled with an overwhelming desire to donate all of their billions to charity. I think everyone would appreciate a hack that automatically disables Google Glass when Robert Scoble attempts to wear it in the shower.

Like a lot of the bonehead maneuvers Google has made over the years, the cause comes down to culture: Google is a technology-driven fiefdom, obsessed with the next cool thing it can achieve and very little else. The fact that actual humans have to use these things seems to elude them.

Releasing Google Glass into the wild with absolutely zero security on it probably didn’t faze the geeks, who just wanted to see what that sucker can do. But it could end up making suckers out of the rest of us.