Vulnerabilities / Threats
8/23/2013
10:19 AM
Connect Directly
RSS
E-Mail
50%
50%

Hack My Google Glass: Security's Next Big Worry?

Wearable computing devices must strike a difficult balance between security and convenience. A recent episode involving Google Glass and malicious QR codes raises questions.

Are wearable computing devices the new big security threat?

That's one question lingering after Lookout Security last month detailed an insidious hack attack against Google Glass: Just by getting Glass to "see" a malicious QR code, an attacker could force a connection to a malicious Wi-Fi or Bluetooth connection, then eavesdrop on all communications. Admittedly, the attack wouldn't have triggered a countdown to global doom, but it did highlight the automated, promiscuous network-connecting habits of mobile devices, Glass included.

Therein lies a problem with wearable computing devices: They lack either physical or virtual keyboards, and thus require a relatively greater degree of automation than your average Android device or iPhone. With that automation, however, comes the risk that the device may automatically do something bad, from either an information security or privacy perspective.

[ Could a kill switch help? The Trouble With Smartphone Kill Switches. ]

In some respects, this is a good problem for the wearable computing field to have. For years, it was hobbled by awkward input mechanisms -- corded keyboards, joysticks, trackballs. But in this age of small, high-speed processors, voice recognition and relatively ubiquitous Internet connectivity, the release of Google Glass inaugurated people literally being able to tell their glasses what to do.

Unfortunately, as the Glass QR vulnerability -- patched by Google in June -- illustrates, wearable computing faces still some tricky security and privacy questions. Furthermore, useful solutions to these problems may not yet be on hand.

One problem is user authentication. For starters, unlike a smartphone, Google Glass doesn't offer access restrictions based on passwords or a PIN. That means a thief could easily access any Google account tied to a stolen device, warns InformationWeek columnist Jerry Irvine, who's a member of the National Cyber Security Task Force. Cue the need for restricting what these "bring your own" (BYOD) devices can do, and when. "If an organization doesn't have a BYOD strategy, the emergence of Glass can be a compelling argument to get one in place," said Irvine, who's also the CIO of Prescient Solutions.

Security managers will have many more options when such devices get rolled out by the IT department and tied to being used in specific environments. For example, Duncan Stewart, a research director at Deloitte, told the BBC that wearable computers could be especially useful for workers in environments that don't currently allow for smartphone use. "Someone driving a forklift in a warehouse can't use a PC or smartphone because they will crash into someone," Stewart said. "But imagine if they can drive around and be able to pinpoint a pallet and then the particular box they need on that pallet."

There are numerous security risks that could be blocked outright in that scenario. "There's a difference between a general use computer and a specialty use computer," Bob Rosenberg, CTO of startup facilities management service BluQRux, said in a phone interview. The latter, notably, can by heavily locked down, for example to only allow a white list of approved apps to be installed, and to block access to any website except for a preapproved list.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
benjimurphy
50%
50%
benjimurphy,
User Rank: Apprentice
9/12/2013 | 2:22:00 PM
re: Hack My Google Glass: Security's Next Big Worry?
I think that wearable tech will be the future of mobile devices. Maybe it will take 5-10 years, but the technology of size and power are moving in that direction. It still won't change the basic issues currently challenging BYOD and enterprise communication, but I bet these wearable will still need data protection and will have some form of text messaging which will still need security apps like Tigertext to protect and secure that data incase the wearable device is left in the gym locker room or taken from the user.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
8/28/2013 | 11:24:18 AM
re: Hack My Google Glass: Security's Next Big Worry?
I don't think this issue has anything to do with glass, it is about as secure as any other not well thought out computing device. The real issue in this example is the QR code. It is easier to use than typing in a URL, but anyone who uses a QR code blindly trusts some dots in a pattern. With a URL there is a reasonably good chance to see if that URL matches the expected resource.
QR codes are big, they are ugly, and they are dangerous. Don't use them and don't put them anywhere. It is, same as glass, another devices that was not well thought out. Especially not from a security perspective.
UberGoober
50%
50%
UberGoober,
User Rank: Apprentice
8/27/2013 | 7:08:31 PM
re: Hack My Google Glass: Security's Next Big Worry?
Technologists are too often like lawmakers: "Ooooh, look, I've got this world-changing idea. Lets do it! NOW!!!"

Seldom much of a though of the downsides. You've gotta game the system yourself and think about how people will attack it BEFORE you dump it on the unsuspecting masses. You won't catch everything, but at least you will stop some of the problems before they happen.
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
8/26/2013 | 8:07:08 PM
re: Hack My Google Glass: Security's Next Big Worry?
With all new technology, there are always going to be security risks. With all technology its a constant battle between hackers and the security measures being put up to prevent these hackers. It has always been a back and forth, with every new security measure just proving to be temporary barriers as hackers find new ways around all measures. I'm not saying we shouldn't be taking these concerns seriously, but even if we address current security concerns, there will be more to come.

Jay Simmons
Information Week Contributor
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
8/26/2013 | 7:36:47 PM
re: Hack My Google Glass: Security's Next Big Worry?
I'd worry about device theft before malicious QR codes.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
8/26/2013 | 1:48:28 PM
re: Hack My Google Glass: Security's Next Big Worry?
If mobile devices are going to make autonomous decisions about what network to connect to, first we've got to teach them to be paranoid.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5104
Published: 2014-07-28
Multiple SQL injection vulnerabilities in ol-commerce 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) a_country parameter in a process action to affiliate_signup.php, (2) affiliate_banner_id parameter to affiliate_show_banner.php, (3) country parameter in a process action ...

CVE-2014-5105
Published: 2014-07-28
Multiple cross-site scripting (XSS) vulnerabilities in ol-commerce 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) a_country parameter in a process action to affiliate_signup.php or (2) entry_country_id parameter in an edit action to admin/create_account.php.

CVE-2014-5106
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.4.x through 3.4.6 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to admin/install/index.php.

CVE-2014-5107
Published: 2014-07-28
concrete5 before 5.6.3 allows remote attackers to obtain the installation path via a direct request to (1) system/basics/editor.php, (2) system/view.php, (3) system/environment/file_storage_locations.php, (4) system/mail/importers.php, (5) system/mail/method.php, (6) system/permissions/file_types.ph...

CVE-2014-5108
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in single_pages\download_file.php in concrete5 before 5.6.3 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to index.php/download_file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.