Google Glass security vulnerability 'uncovered by researchers'

A security vulnerability in Google Glass lets hackers spy on connections, a security firm has claimed.

Project Glass
An early prototype of Google's futuristic Internet-connected glasses Credit: Photo: AP

Although Google Glass is not even due to launch until the end of this year, researchers at mobile security firm Lookout say they have already uncovered a vulnerability, which they claim allows hackers to take control of the device using QR codes.

Google Glass is a wearable computer with an optical head-mounted display that connects to the internet. Information is displayed on a small screen above a person’s eye, and the device also has a 5MP camera which can be used to capture images and videos.

As with a smartphone, the Google Glass camera can be used to read QR codes. These are usually used to direct the device to a certain website, but can also tell the device to connect to a particular WiFi network or Bluetooth device.

Lookout discovered that it was able to produce its own “malicious” QR codes, which force Glass to connect silently to a “hostile” WiFi access point. That access point in turn allowed the researchers to spy on the connections Glass made, from web requests to images uploaded to the cloud.

The researchers were also able to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability that hacked Glass as it browsed the page.

“Glass was hacked by the image of a malicious QR code. Both the vulnerability and its method of delivery are unique to Glass as a consequence of it becoming a connected thing,” said Marc Rogers, principal security researcher at Lookout in a blog post.

Lookout disclosed its findings to Google on 16 May. Google filed a bug report with the Glass development team and the issue was fixed by version XE6, released on 4 June. Lookout’s recommendation that Google limit QR code execution to points where the user has solicited it was reflected in Google’s changes.

"This responsive turnaround indicates the depth of Google’s commitment to privacy and security for this device and set a benchmark for how connected things should be secured going forward," said Rogers.

Responding to the news, a Google spokesperson told the Telegraph: “We want get Glass into the hands of all sorts of people, listen to their feedback, see the inspirational ways they use the technology, and discover vulnerabilities that we can research and work to address before we launch Glass more broadly.”

Google Glass has been subject to a great deal of controversy since it was first unveiled in April this year. While it is thought that the technology could open the gates to a new era of mobile communications, it also has the potential to invade privacy.

In June, the company said that it will not add allow facial recognition capabilities in applications being tailored for Glass, in acknowledgment of concerns expressed by users and shareholders that the device is "a voyeur's dream come true."