View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 22, 2014updated 22 Sep 2016 2:27pm

5 security vulnerabilities found in Google Glass

CBR looks at five exploits already discovered by hackers.

By Amy-Jo Crowley

CBR rounds up five vulnerabilities already found in Google Glass by hackers just a week after Google made the high-tech specs available to the entire public for one day.

1. Jailbreaking


Google Glass wearers could be exposed to jailbreaking techniques, which would allow hackers to gain full access of the headset’s operating system.

"If you jailbreak a device you then run everything as the administrative user versus just a standard user, which gives you a much wider access to the underlining hardware and software characteristics of the platform," explained Lawrence Pingree, a research director and analyst of security technologies at Gartner.

He told CBR: "If you go to a meeting wearing your Google Glass, and a hacker jail breaks a device and malware happens to get on the device, it brings a whole new level to spying."

Jay Freeman, a technology consultant, also known as Saurik, already used an exploit in Android, developed by a hacker called Bin4ry, to gain root access into a version of Google Glass in 2013.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

"Once the attacker has root on your Glass, they have much more power than if they had access to your phone or even your computer: they have control over a camera and a microphone that are attached to your head," he wrote in a blog.

"A bugged Glass doesn’t just watch your every move: it watches everything you are looking at (intentionally or furtively) and hears everything you do."



2. Malnotes


Security researchers from California Polytechnic San Luis Obispo created an application for Google Glass called Malnotes that has the capability to convert the specs into a spy camera.

Like note-taking software, the Malnotes app takes a picture every 10 seconds a Glass display is active without the wearer knowing, before uploading the information to a remote server.

Mike Lady and Kim Patterson, who built the software, said the prototype was written to highlight that hackers could potentially spy on wearers.

Patterson told Forbes: "The scary thing for us is that while it’s a policy that you can’t turn off the display when you use the camera, there’s nothing that actually prevents you from doing it."

The researchers reportedly were successful in uploading Malnotes to the Google Play Store, though it was quickly removed after the news broke. However, this would not prevent Google Glass users from loading the rogue app from a third-party website for example.

"As someone who owns Glass and wants to install more apps, I’d feel a lot better if it were simply impossible to do that. Policies don’t really protect us," said Patterson.

3. QR Codes


Lookout Mobile Security found a critical vulnerability that could have allowed hackers to take control of Glass by showing it QR codes.

With this knowledge, the security firm created malicious QR codes that could force Google Glass to connect to a Wi-Fi access point, allowing hackers to read all the data flowing to and from the headset.

"We analysed how to make QR codes based on configuration instructions and produced our own ‘malicious’ QR codes," principal security researcher Marc Rogers said in a blog post.

"When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a ‘hostile’ WiFi access point that we controlled," he wrote.

"That access point in turn allowed us to spy on the connections Glass made, from web requests to images uploaded to the Cloud."

4. Wi-Fi Pineapple


Symantec found another Wi-Fi network problem, which has been a long-known weakness in wireless networking.

The security firm said for as little as $100, a hacker could buy another Wi-Fi access point with the same name that a wearer has connected before with to trick them into using it.

If a mobile device such as Google Glass looks for a known network with the SSID of "myPrivateWiFi," a device called Wi-Fi Pineapple can respond, pretending it is the network.

Once it has tricked a Wi-Fi device into thinking it is the legitimate network, it can then spy on the data traffic or redirect the user to malicious sites.

The issue, however, isn’t exclusive to Google Glass and could affect any device used.


5. Javascript


Last and perhaps more interestingly, a developer hacked into his Google Glass device using a JavaScript programme called node.js to turn the device into a control system for a quadcopter drone.

Blaine Bublitz from coding company IcedDev showed off his Google Glass-controlled drone at International Nodebots Day last year, which he managed to control by moving his head.

Bublitz said he has to make some improvements in order to make it work better.

"Turns out that I was driving the drone at full speed in each direction I tilted my head. I should have had the speed at about 0.3 instead of 1," he said in his blog.

"Lesson learned. I would have also liked to add the ability to rotate the drone left and right based on the Glass’ azimuth value, but I guess that will have to be in the future."





Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.