At the time of this writing Google is claiming that the flaw has been patched, but from some rumblings on the less light sides of the internet it might not be that simple. Originally Google design the Glass device to simply accept any QR Codes that it scanned. This was done for ease of use and due to the limited way that a user can interact with the device. Sadly this also means that a QRC that contains a direct link to malware and automatically infect the device without user intervention. The Flaw was discovered by Lookout Security who is one of the leading mobile security companies (their Lookout Security suite is widely used in Android devices).
Lookout identified the flaw and then set about developing QR Codes that would attempt to execute different commands. With these codes they were able to force Google Glass to start a Glass Cast (sharing of the camera view with a paired Bluetooth device), force it to connect to a wireless network, and more. Of greatest concern would be forcing the Wi-Fi connection. It is possible to setup a splash page that contains malicious code in it. From there you can damage the device or take control over it.
Google responded to the vulnerability with an update to Google Glass that now requires you to be on the settings page that a QR code is trying to change. It also gives information on what the QR code wants to do and requires permission to allow it. They (Google) were able to get the new patch out very quickly after Lookout let them know about the issue. This rapid response is a good thing, but it might not be indicative of their normal reaction time.
Now, all this sounds good, but as we said reading through a few conversations it does not remove the possibility of using QR codes as a vector for attack. Some are already talking about using Google own software against the Glass devices. Google created an app that allows you to create QR codes to speed up configuration, these same codes could be manipulated to do more damage (like the original flaw that was found). Even Google is not claim this fix will keep Google Glass safe saying “New things mean new vulnerabilities”. We have to wonder about the future security of Google glass if they missed something as relatively simple and obvious as this. We know that the security community (the good guys and bad guys) are already looking for other vulnerabilities as well as ways to get around the fix that was just put in place.
Tell us what you think in our Forum