ITEM: Researchers have uncovered a security flaw in Google Glass involving QR codes – which in turn highlights the far bigger issue of security risks in the coming era of the Internet Of Things.
According to a blog post from startup mobile security firm Lookout, the flaw involves Google’s use of QR codes to let users configure the wearable display without having to use a keyboard. Whenever you take a photo using Glass, it searches for readable information – including QR codes.
The problem is that other people can use those same QR codes to tell your Glass to connect to their Wi-Fi networks or Bluetooth devices, says Lookout’s Marc Rogers:
We analyzed how to make QR codes based on configuration instructions and produced our own “malicious” QR codes. When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a “hostile” WiFi access point that we controlled. That access point in turn allowed us to spy on the connections Glass made, from web requests to images uploaded to the Cloud. Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability that hacked Glass as it browsed the page.
The good news is that Lookout has already worked with Google to help them fix the flaw. Version XE6 of the Google Glass software only allows QR codes to be executed when the user actively requests them.
But the bigger point, says Rogers, is that adding billions of new devices to the internet creates more potential attack vectors to exploit:
Mundane objects, once familiar in appearance and completely unremarkable from a security perspective, suddenly become the guardians of sensitive data, ranging from sensitive financial information to detailed telemetry about personal aspects of our lives. [...] As we change the nature of things, identifying vulnerabilities and managing updates quickly and efficiently will be paramount. Connected things need to be treated like software when it comes to security.
Indeed, the same post from Lookout also describes a security flaw that allows bad guys to interfere with the operation of select models of wireless insulin pumps sold by Medtronic.
Rogers also commended Google for its approach to handling the vulnerability once it was shown to them, and advised all embedded hardware developers to follow its example and “approach wearables, connected things and anything with a sensor” with the same mindset.
“Just as pressing, in our connected world security and updates must be baked into these new devices from the start,” Rogers writes.