Researchers have uncovered a security vulnerability in the Google Glass platform, which could allow attackers to hijack devices with specially crafted QR codes.
Security firm Lookout found a method for covertly taking control of Google Glass headsets by exploiting flaws in the way Glass interacts with the photographic codes.
According to Lookout, Google Glass is able to use QR codes to change its configurations, such as connecting to WiFi networks automatically. Though the feature is intended to allow users to easily manage devices while on the move, researchers also worry that it could be exploited by hackers.
“While it’s useful to configure your Glass QR code and easily connect to wireless networks, it’s not so great when other people can use those same QR codes to tell your Glass to connect to their WiFi Networks or their Bluetooth devices,” Lookout said in its report.
“Unfortunately, this is exactly what we found. We analysed how to make QR codes based on configuration instructions and produced our own 'malicious' QR codes.”
By exploiting the security loopholes, which have since been fixed by Google, the researchers were able to automatically connect devices to a 'hostile' wireless network. Once connected, the researchers were able to eavesdrop on web browsing activity, capture images that were being uploaded to the web and reconfigure devices to access attack sites that exploit Android security vulnerabilities.
The company said that it privately reported the flaw to Google in May and a fix was released in early June.
“Google clearly worked quickly to fix the vulnerability as the issue was fixed by version XE6, released on 4 June,” the company said.
“Lookout recommended that Google limit QR code execution to points where the user has solicited it. Google’s changes reflected this recommendation.”
These will likely not be the last of such flaws to be spotted in Google Glass as the platform proceeds with its closed public beta. The platform has been available on a limited basis to developers and is tentatively set for release at the end of the year.
Bluehole confirms rumours that Playstation 4 port is coming on 7 December
Atmospheric iodine works as a significant sink of tropospheric ozone, nullifying the harmful pollutant
A temperature rise of just 1.8° C would melt major ice sheets
The new framework could enable supercomputers that reach exascale levels