Wednesday05 October 2022

Google Glass Hit By QRC Malware, or Monkey See, Monkey Do.

Reading time is around minutes.

As with many technologies there is a blind spot during the initial design and testing phase that happens. With SCADA devices this was the possibility that anyone would put them on the internet. These control devices were not built to be exposed like this and because the people that were using them did not follow best practices for protecting them we all know just how vulnerable our core infrastructure is. Even with devices like pacemakers that can be tuned using WiFi there was the failure of imagination that left them open to… well any one to connect to them. This failure of imagination seems to exist in almost any product as the designer continue to say, “no one will think of that”. Today we are seeing this happening to Google and their Google Glass project. It looks like they never thought someone would use QR Codes to infect the device.


At the time of this writing Google is claiming that the flaw has been patched, but from some rumblings on the less light sides of the internet it might not be that simple. Originally Google design the Glass device to simply accept any QR Codes that it scanned. This was done for ease of use and due to the limited way that a user can interact with the device. Sadly this also means that a QRC that contains a direct link to malware and automatically infect the device without user intervention. The Flaw was discovered by Lookout Security who is one of the leading mobile security companies (their Lookout Security suite is widely used in Android devices).

Lookout identified the flaw and then set about developing QR Codes that would attempt to execute different commands. With these codes they were able to force Google Glass to start a Glass Cast (sharing of the camera view with a paired Bluetooth device), force it to connect to a wireless network, and more. Of greatest concern would be forcing the Wi-Fi connection. It is possible to setup a splash page that contains malicious code in it. From there you can damage the device or take control over it.

Google responded to the vulnerability with an update to Google Glass that now requires you to be on the settings page that a QR code is trying to change. It also gives information on what the QR code wants to do and requires permission to allow it. They (Google) were able to get the new patch out very quickly after Lookout let them know about the issue. This rapid response is a good thing, but it might not be indicative of their normal reaction time.

Now, all this sounds good, but as we said reading through a few conversations it does not remove the possibility of using QR codes as a vector for attack. Some are already talking about using Google own software against the Glass devices. Google created an app that allows you to create QR codes to speed up configuration, these same codes could be manipulated to do more damage (like the original flaw that was found). Even Google is not claim this fix will keep Google Glass safe saying “New things mean new vulnerabilities”. We have to wonder about the future security of Google glass if they missed something as relatively simple and obvious as this. We know that the security community (the good guys and bad guys) are already looking for other vulnerabilities as well as ways to get around the fix that was just put in place.

Tell us what you think in our Forum


Last modified on Wednesday, 17 July 2013 09:40

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.