Developers have found another security weakness in Google's new Google Glass device. Using just a Quick Response Code, or QR code, security analysts at Lookout were able to force Glass to perform actions, such as sharing a user’s screen or joining wireless networks, without the user's knowledge.
In order to make its minimalist design and interface functional, Google Glass is set up to automatically process any QR code that the device’s camera detects. The moment Glass recognizes the command that the QR code contains, Glass executes it. All a hacker has to do is create malicious QR codes that force Glass to do any number of actions.
Lookout created a QR code that forced Glass to initiate a Glass-cast, which projects what a Google Glass user can see via Bluetooth, without the user knowing. Theoretically, this could allow a hacker to spy on everything a Google Glass user sees, including personal information like an ATM PIN.
Lookout pointed out to PC Mag that this isn’t too threatening, as a hacker would need physical access to a pair of Google Glass spectacles in order to pair the device via Bluetooth. The hacker would also have to remain pretty close to the user to keep getting the feed.
The QR code designed to force Glass to connect to a Wi-Fi network is much more troubling. A hacker could monitor everything a user does with Glass while connected that network, or even hack the device completely.
For those who are unfamiliar with the technology, QR Codes are those squares with black pixels that are becoming increasingly common on advertisements. A hacker could create one, print copies of it and post them anywhere. Someone could easily be tricked into scanning the code and giving up control of their Glass.
Finding security issues has been an important part of the Explorer Edition of Google Glass, and Google has been quick to fix them. Another hacker successfully jail broke Google Glass in May and pointed out some very serious security flaws that Google was able to address. Just two weeks after Lookout presented this QR code vulnerability, Google updated Glass to prevent the device from automatically executing a command.
Still, Google did not see QR codes as a potential avenue for an attack. The company points out that users should only scan a code if they know what it is going to do.