Researchers at Lookout mobile security say that they've figured out a way to make Google Glass execute potentially harmful commands by getting it to read a maliciously crafted QR code.
According to a blog post by principal security researcher Marc Rogers, Glass uses optical character recognition technology on every photograph taken – scanning for readable text and QR codes, which can contain configuration instructions or web links.
Rogers says that, as handy as this is for legitimate users – offering ways for guests to easily connect to a Wi-Fi network and so forth – it’s also a potential tool for the unscrupulous. The team at Lookout created a malicious QR code that performed an impressively complete takeover of Glass.
“When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a ‘hostile’ WiFi access point that we controlled. That access point in turn allowed us to spy on the connections Glass made, from web requests to images uploaded to the Cloud. Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability that hacked Glass as it browsed the page,” wrote Rogers.
Lookout privately disclosed the vulnerability to Google in May, and a patch requiring user approval for instructions contained within QR codes, among other fixes, was issued in early June – essentially removing this particular threat.
However, Rogers wrote that the vulnerability highlights more general concerns about the move toward the “Internet of things.”
“The traditional thermostat hanging on an office wall held little attraction to cybercriminals. A connected thermostat — that can tell whoever controls it how many people live in a house, what technology connects to their network, and, most seriously, when the house is unoccupied — is an attractive target,” he wrote.
Email Jon Gold at firstname.lastname@example.org and follow him on Twitter at @NWWJonGold.