Google Glass QR code exploit quietly patched

July 17, 2013

Views: 50

Google Glass had a security issue that dealt with QR codes. Google has already taken care of the issue, which means those wearing Glass shouldn't be afraid of QR codes. But perhaps more important here, given Google has patched the issue means it can be further discussed. The exploit was originally discovered by Marc Rogers, a Principal Security Researcher at Lookout Mobile Security.

The short version of the story is as follows -- QR codes could have been used to trigger WiFi and other configurations with Glass. Basically, these codes could have been used to have Glass connect to a compromised network. This network would be controller by the attacker and as such, that person (or persons) would be able to monitor the connections made by Glass and even see any images that are being uploaded.

While it seems pretty harmless thus far, the attacker could take things even further by sending an exploit to Glass. This exploit would allow the attacker to remotely control Glass from a web interface. This last part was when combined with a known web vulnerability with Android 4.0.4 and would allow the attacker to remotely monitor and control Glass to the point of turning on the camera and seeing what the person wearing them was looking at.

Anyway, this all stems from the way Glass was designed. It seems this QR code approach was intentionally done to make the setup process quicker and easier. The way it originally was, Glass would automatically identify QR codes in images and act accordingly. This helped users set up things such as a Wifi connection or Bluetooth device. As far as the fix goes, Google (with the XE6 update) changed the way Glass responds to a QR code.

Moving forward Glass will only identify and react to a QR code when specified by the user. End result here, it seems this "Explorer Edition" trial period of Glass is having some positive side effects. While there are likely a few upset they cannot buy Glass just yet, as was pointed out by the Lookout researcher, this trial period means additional users should be “able to trust Glass … because it has been tested.”

VIA: SlashGear

SOURCE: Lookout

Tags: , , , , ,