Google Glass flaw opens headset to 'hostile' Wi-Fi connections

Share this article:
Google Glass flaw opens headset to 'hostile' Wi-Fi connections
Google Glass flaw opens headset to 'hostile' Wi-Fi connections

Researchers have discovered a vulnerability in the yet-to-be-released Google Glass headset which could allow an attacker to connect a users' devices to malicious Wi-Fi networks without their knowledge.

Marc Rogers, principal security researcher at Lookout, a San Francisco-based mobile security firm, divulged the details of the bug in a blog post earlier this week.

According to Rogers, the flaw in Google's wireless headset device, which is expected to be the equivalent of a “computer that you wear on your head,” is a testament to the widening security concerns users will face because of the “internet of things” – meaning everything around us being influenced by or accessible via the internet.

Google Glass identifies QR codes, two-dimensional barcodes that contain encoded data, which allow it to connect to wireless networks in proximity to the wearer. But this feature of the device could also allow a saboteur using their own malicious QR codes to direct Glass users to a “hostile Wi-Fi access point,” Rogers wrote in a Wednesday blog post.

“We analyzed how to make QR codes based on configuration instructions and produced our own ‘malicious' QR codes,” Rogers wrote. When Glass users photographed the QR code, the attacker was able to carry out other feats, in addition to connecting the wireless device to Wi-Fi access points under their control.

“That access point, in turn, allowed us to spy on the connections Glass made, from web requests to images uploaded to the cloud,” Rogers revealed. "Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability that hacked Glass as it browsed the page."

Lookout published a video on YouTube demonstrating the hack.

Researchers at Lookout disclosed their findings to Google on May 16, and the company quietly fixed the bug last month. Glass is not yet available to the public, but it is rumored the device will be released sometime next year.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.