BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Google Glass vulnerability discovered by Lookout could have captured user data

From: Erica Absetz <erica () riskbasedsecurity com>
Date: Wed, 17 Jul 2013 11:44:29 -0500
http://www.theinquirer.net/inquirer/news/2283069/google-glass-vulnerability-discovered-by-lookout-could-have-captured-user-data

Google Glass was silently patched by the internet giant last month
after a flaw was discovered that could have allowed hackers to capture
user data sent from the device, mobile security firm Lookout has
revealed.

Having worked with Google to find and repair the vulnerability,
Lookout said in a blog post today that it reported the bug on 16 May
before it was quickly fixed by Google on 4 June, with the update
pushed out to all devices.

Google took advantage of Glass' ability to read printed text and QR
codes to create an easy way for a user to configure their Glass device
without needing a keyboard.

Discovered by Lookout Mobile Security principal security researcher
Marc Rogers, the vulnerability that Google patched last month
exploited QR codes configured to tell Glass to connect to WiFi
Networks or Bluetooth devices.

"We analysed how to make QR codes based on configuration instructions
and produced our own 'malicious' QR codes," Rogers said. "When
photographed by an unsuspecting Glass user, the code forced Glass to
connect silently to a 'hostile' WiFi access point that we controlled.

"That access point in turn allowed us to spy on the connections Glass
made, from web requests to images uploaded to the Cloud."

Lookout said that the exploit also allowed it to divert Glass to a
webpage on the access point containing a known Android 4.0.4
vulnerability that hacked Glass as it browsed the webpage.

Google's patch updated the Glass software so that the camera will only
identify QR codes when the user specifically triggers scanning through
the settings.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.
Previous By Date Next
Previous By Thread Next

Current thread: