Google Glass Security Flaw by QR Codes Spotted

Google Glass security flaw detected.

Google Glass security flaw detected.

Mobile security firm Lookout has announced that it has spotted a very critical Google Glass security flaw. The firm’s principal security analyst Marc Rogers has told PC Mag’s SecurityWatch they have discovered a vulnerability in how Google Glass processes QR codes.

Because Google’s wearable computer has limited user interface, the Glass’ camera can automatically process any QR code it spots.

“On the face of it, it’s a really exciting development,” Rogers said. “But the issue is the moment Glass sees a command code it recognizes, it executes it.”

This Google Glass security flaw may provide an opportunity for spammers and hackers to develop a malware that can be downloaded and installed after automatically scanning a QR code. To make sure their hunch is correct, Lookout created QR codes containing malicious software and they learned that Google Glass can be forced to perform actions even without the user’s knowledge.

Malicious QR codes can exploit Google Glass security flaw.

Lookout first tried a malicious QR code that would initiate a so-called “Glass-cast,” wherein Google Glass would share to a paired Bluetooth device whatever appears on the Glass’ screen, without the user knowing it. Although this Google Glass security flaw screams “voyeurism” all over, it does have its limitations. For one, the attacker would have to be near enough to receive the Glass-cast transmission through Bluetooth, but before that he would have to pair their Bluetooth device to the user’s Google Glass and that would require physical access. However, Rogers points out that since Google Glass has no lockscreen, pairing the devices would be easy as the attacker would just tap the Glass to confirm.

The more troubling vulnerability is what Lookout did with its second malicious QR code, which forced Google Glass to connect to a designated WiFi network right after scanning the code. “Without realizing it, your Glass is connected to his access point and he can see your (web) traffic,” Rogers said, adding that the attacker could exploit this web vulnerability, which could cause the wearable computer to be hacked.

Lookout has already reported the Google Glass security flaw to Google and a patch has been released within two weeks to fix the loopholes.

Source: SecurityWatch

Image source: Joe Seer, Featureflash /

Leave a Reply

Back to top