Google Glass flaw opens headset to 'hostile' Wi-Fi connections

Share this article:
Google Glass flaw opens headset to 'hostile' Wi-Fi connections
Google Glass flaw opens headset to 'hostile' Wi-Fi connections

Researchers have discovered a vulnerability in the yet-to-be-released Google Glass headset which could allow an attacker to connect a users' devices to malicious Wi-Fi networks without their knowledge.

Marc Rogers, principal security researcher at Lookout, a San Francisco-based mobile security firm, divulged the details of the bug in a blog post earlier this week.

According to Rogers, the flaw in Google's wireless headset device, which is expected to be the equivalent of a “computer that you wear on your head,” is a testament to the widening security concerns users will face because of the “internet of things” – meaning everything around us being influenced by or accessible via the internet.

Google Glass identifies QR codes, two-dimensional barcodes that contain encoded data, which allow it to connect to wireless networks in proximity to the wearer. But this feature of the device could also allow a saboteur using their own malicious QR codes to direct Glass users to a “hostile Wi-Fi access point,” Rogers wrote in a Wednesday blog post.

“We analyzed how to make QR codes based on configuration instructions and produced our own ‘malicious' QR codes,” Rogers wrote. When Glass users photographed the QR code, the attacker was able to carry out other feats, in addition to connecting the wireless device to Wi-Fi access points under their control.

“That access point, in turn, allowed us to spy on the connections Glass made, from web requests to images uploaded to the cloud,” Rogers revealed. "Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability that hacked Glass as it browsed the page."

Lookout published a video on YouTube demonstrating the hack.

Researchers at Lookout disclosed their findings to Google on May 16, and the company quietly fixed the bug last month. Glass is not yet available to the public, but it is rumored the device will be released sometime next year.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.