QR code security vulnerability found with Google Glass

Jul 18, 2013 by Bob Yirka weblog

Engineers at Lookout Mobile Security have discovered a previously unknown security vulnerability with Google's project Glass wearable headset. Marc Rogers reports on the company's web site that engineers found that when pictures were taken of printed QR codes, the device could be routed to a hostile Wi-Fi access point, which in turn allowed for monitoring and capture of data flow to and from the device. They also found they were able to divert the device to a web page that allowed for taking advantage of a previously known Android vulnerability.

Google Glass, Google's augmented reality headset runs Android, and because of that is able to run many of the same apps as smartphones, one of which allows for reading, recognizing and responding to QR codes. Such codes have been designed for that very purpose. In testing the feature with a Glass device, the engineers at Lookout Mobile Security found that they could cause the device to connect to the Internet using a previously rigged Wi-Fi hotspot. In so doing, they found they were able to monitor traffic between the device and the Internet, picking up message content and images that were transferred. They also found that they could cause the device to be routed to a web page they'd set up that allowed them to take control of the device using a previously known Android vulnerability. That allowed them to read messages stored on the device, control the camera and perform any other phone function.

Rogers told the press that Google was notified of the vulnerability on May 16th and that the company has taken steps to head off the problem. A subsequent software update by Google shows that code has been amended to prevent the automatic relocation of a Wi-Fi hotspot when reading a QR code. Users are now asked if they wish to switch over.

This video is not supported by your browser at this time.

In response to publication of the discovery of the vulnerability, Google representatives reminded the press that Glass is still in a testing phase. Giving demo units to select users allows for finding and fixing vulnerabilities, they noted, as well as for spotting bugs or user issues before the device is made available to the general public.

Explore further: Google fixes APK nightmare-waiting-to-happen, sends patch to partners

Related Stories

Atheer Labs demos 3-D virtual object-manipulation goggles

Jul 01, 2013

(Phys.org) —Atheer Labs has announced the development of a new type of technology that allows for creating and manipulating virtual three-dimensional objects via goggles or by other types of devices. Calling ...

Recommended for you

Microsoft expands ad-free Bing search for schools

17 hours ago

Microsoft is expanding a program that gives schools the ability to prevent ads from appearing in search results when they use its Bing search engine. The program, launched in a pilot program earlier this year, is now available ...

Growing app industry has developers racing to keep up

Apr 20, 2014

Smartphone application developers say they are challenged by the glut of apps as well as the need to update their software to keep up with evolving phone technology, making creative pricing strategies essential to finding ...

Android gains in US, basic phones almost extinct

Apr 18, 2014

The Google Android platform grabbed the majority of mobile phones in the US market in early 2014, as consumers all but abandoned non-smartphone handsets, a survey showed Friday.

Hackathon team's GoogolPlex gives Siri extra powers

Apr 17, 2014

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Microsoft CEO is driving data-culture mindset

Apr 16, 2014

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

fmfbrestel
3 / 5 (2) Jul 18, 2013
I can hardly believe that a bug in a beta product which had already been fixed is newsworthy.

If your looking for a few scoops, you can head over to the chrome releases blog and get details of all sorts of security bugs found and fixed. They publish a list every few weeks, and many more people (by orders of magnitude) are effected by chrome bugs.

/sarcasm
baudrunner
1 / 5 (1) Jul 18, 2013
For that matter, why should cell phones that read those QR codes be any safer?
kochevnik
2.3 / 5 (3) Jul 18, 2013
Another java exploit? Really???

More news stories

US urged to drop India WTO case on solar

Environmentalists Wednesday urged the United States to drop plans to haul India to the WTO to open its solar market, saying the action would hurt the fight against climate change.