- Category: August 2013 - Data Protection & Security
More and more people and devices are connected with each other these days and, thanks to Google, glasses are linked to the Internet now, too.
In fact, everyday commodities are being “transformed by the addition of sensors that enable them to interact with the world, processors that enable them to think about it and network interfaces that allow them to talk about it”, states Lookout, an expert in mobile security, that got granular on Google Glass and identified its vulnerability.
As a matter of course, the increasing interconnectivity of devices changes the impact on security and privacy, since these intelligent, thinking devices are driving the ”Internet of Things” and rapidly outstripping the Internet of PCs. However, connected things need to be treated like software when it comes to security, since their integrated sensors receive information they transmit to other devices. This expands their opportunities, but also increases their vulnerability, making security and privacy issues much more difficult to deal with.
Security researchers from Lookout, an expert firm in mobile security, have discovered that Google Glass automatically executes commands hidden in an image captured by the camera. Every time you take a photograph, Glass looks for data it can recognize and the most obvious are QR codes, a type of barcode that can contain everything from instructions to send an SMS or browse a website to configuration information that change device settings. Google took advantage of this capability to create an easy way for a user to configure their Glasses without needing a keyboard.
This means, for example, that a user could order a coffee just by photographing the menu or the menu could easily be translated with just a glance, or always have their own personal tour guide that can identify every building they are looking at, presenting its complete history right before their eyes. Lookout puts it in a nutshell: “With Glass, OCR, the technology that allows a computer to read printed text, comes of age.”
But, such features also increase the potential for abuse when the Google glasses don’t ask the user for permission to perform certain actions, or don't even inform a user about what’s going on.
According to Marc Rogers, security researcher at Lookout, their intention wasn’t to show the public that Google Glass has flaws, especially since it is still a limited beta product, but to point out the risk before the product hits the market in a big way. “Our goal was rather to demonstrate that networked devices require the same level of security as software on smart phones or PCs", he explained.
As a significant security problem, Lookout identified the Glass QR code that is used to configure the device’s connection easily to wireless networks, stating: “It’s not so great when other people can use those same QR codes to tell your Glass to connect to their WiFi Networks or their Bluetooth devices. Unfortunately, this is exactly what we found. We analyzed how to make QR codes based on configuration instructions and produced our own “malicious” QR codes. When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a “hostile” WiFi access point that we controlled. That access point in turn allowed us to spy on the connections Glass made, from web requests to images uploaded to the Cloud. Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability that hacked Glass as it browsed the page.”
What we can see clearly is a security flaw as a direct consequence of an object being “connected.” Of course, the Lookout team has informed Google about the vulnerability, in accordance with the industry code of "responsible disclosure", so that Google could fix the problem quickly by distributing their updated version XE6 just three weeks later (on June 4, 2013) to all Google Glass users.
In fact, Google followed Lookout’s recommendation to start the execution of QR codes only when actively triggered by the user. And the company’s quick reaction demonstrates its commitment to privacy and security for this device and sets in general a benchmark for the development of connected things.
"Glass is nevertheless an example of a networked device that takes security into account from the beginning. Google simply knows how to protect such a thing, as it is a software company and thinks like a software company. Therefore it could fix the vulnerability so quickly," says Marc Rogers. "Developers have to deal with wearables, equipped with a sensor, and networked devices, with as much foresight as Google does with Glass", he concludes.
According to Lookout, vulnerability identification is actually not the only challenge that the "Internet of Things” will face in the future. In order for users to be protected and for the ecosystem to enjoy stability and growth, these vulnerabilities have to be managed as well.
“We have a long way to go if we want to create a process which can manage the vulnerabilities found in billions of connected things. Thankfully, there are also plenty of lessons that we can benefit from in the world of PC patch management”, Lookout emphasizes, adding: “Companies with roots in software engineering will understand this, while many others may struggle with the unfamiliar issues and sheer complexity of managing millions of things.”
By Daniela La Marca