Researchers have discovered a vulnerability in the yet-to-be-released Google Glass headset which could allow an attacker to connect a users' devices to malicious Wi-Fi networks without their knowledge.
Marc Rogers, principal security researcher at Lookout, a San Francisco-based mobile security firm, divulged the details of the bug in a blog post earlier this week.
According to Rogers, the flaw in Google's wireless headset device, which is expected to be the equivalent of a “computer that you wear on your head,” is a testament to the widening security concerns users will face because of the “internet of things” – meaning everything around us being influenced by or accessible via the internet.
Google Glass identifies QR codes, two-dimensional barcodes that contain encoded data, which allow it to connect to wireless networks in proximity to the wearer. But this feature of the device could also allow a saboteur using their own malicious QR codes to direct Glass users to a “hostile Wi-Fi access point,” Rogers wrote in a Wednesday blog post.
“We analyzed how to make QR codes based on configuration instructions and produced our own ‘malicious' QR codes,” Rogers wrote. When Glass users photographed the QR code, the attacker was able to carry out other feats, in addition to connecting the wireless device to Wi-Fi access points under their control.
“That access point, in turn, allowed us to spy on the connections Glass made, from web requests to images uploaded to the cloud,” Rogers revealed. "Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability that hacked Glass as it browsed the page."
Lookout published a video on YouTube demonstrating the hack.
Researchers at Lookout disclosed their findings to Google on May 16, and the company quietly fixed the bug last month. Glass is not yet available to the public, but it is rumored the device will be released sometime next year.