Vulnerabilities / Threats

8/23/2013
10:19 AM
50%
50%

Hack My Google Glass: Security's Next Big Worry?

Wearable computing devices must strike a difficult balance between security and convenience. A recent episode involving Google Glass and malicious QR codes raises questions.

Are wearable computing devices the new big security threat?

That's one question lingering after Lookout Security last month detailed an insidious hack attack against Google Glass: Just by getting Glass to "see" a malicious QR code, an attacker could force a connection to a malicious Wi-Fi or Bluetooth connection, then eavesdrop on all communications. Admittedly, the attack wouldn't have triggered a countdown to global doom, but it did highlight the automated, promiscuous network-connecting habits of mobile devices, Glass included.

Therein lies a problem with wearable computing devices: They lack either physical or virtual keyboards, and thus require a relatively greater degree of automation than your average Android device or iPhone. With that automation, however, comes the risk that the device may automatically do something bad, from either an information security or privacy perspective.

[ Could a kill switch help? The Trouble With Smartphone Kill Switches. ]

In some respects, this is a good problem for the wearable computing field to have. For years, it was hobbled by awkward input mechanisms -- corded keyboards, joysticks, trackballs. But in this age of small, high-speed processors, voice recognition and relatively ubiquitous Internet connectivity, the release of Google Glass inaugurated people literally being able to tell their glasses what to do.

Unfortunately, as the Glass QR vulnerability -- patched by Google in June -- illustrates, wearable computing faces still some tricky security and privacy questions. Furthermore, useful solutions to these problems may not yet be on hand.

One problem is user authentication. For starters, unlike a smartphone, Google Glass doesn't offer access restrictions based on passwords or a PIN. That means a thief could easily access any Google account tied to a stolen device, warns InformationWeek columnist Jerry Irvine, who's a member of the National Cyber Security Task Force. Cue the need for restricting what these "bring your own" (BYOD) devices can do, and when. "If an organization doesn't have a BYOD strategy, the emergence of Glass can be a compelling argument to get one in place," said Irvine, who's also the CIO of Prescient Solutions.

Security managers will have many more options when such devices get rolled out by the IT department and tied to being used in specific environments. For example, Duncan Stewart, a research director at Deloitte, told the BBC that wearable computers could be especially useful for workers in environments that don't currently allow for smartphone use. "Someone driving a forklift in a warehouse can't use a PC or smartphone because they will crash into someone," Stewart said. "But imagine if they can drive around and be able to pinpoint a pallet and then the particular box they need on that pallet."

There are numerous security risks that could be blocked outright in that scenario. "There's a difference between a general use computer and a specialty use computer," Bob Rosenberg, CTO of startup facilities management service BluQRux, said in a phone interview. The latter, notably, can by heavily locked down, for example to only allow a white list of approved apps to be installed, and to block access to any website except for a preapproved list.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jackdon
50%
50%
jackdon,
User Rank: Apprentice
8/16/2014 | 4:51:35 AM
re: Hack My Google Glass: Security's Next Big Worry?
Most of the time I don't make comments on but I'd like to say that this article really forced me to do so. Really nice post! six sigma green belt certification
benjimurphy
50%
50%
benjimurphy,
User Rank: Apprentice
9/12/2013 | 2:22:00 PM
re: Hack My Google Glass: Security's Next Big Worry?
I think that wearable tech will be the future of mobile devices. Maybe it will take 5-10 years, but the technology of size and power are moving in that direction. It still won't change the basic issues currently challenging BYOD and enterprise communication, but I bet these wearable will still need data protection and will have some form of text messaging which will still need security apps like Tigertext to protect and secure that data incase the wearable device is left in the gym locker room or taken from the user.
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
8/28/2013 | 11:24:18 AM
re: Hack My Google Glass: Security's Next Big Worry?
I don't think this issue has anything to do with glass, it is about as secure as any other not well thought out computing device. The real issue in this example is the QR code. It is easier to use than typing in a URL, but anyone who uses a QR code blindly trusts some dots in a pattern. With a URL there is a reasonably good chance to see if that URL matches the expected resource.
QR codes are big, they are ugly, and they are dangerous. Don't use them and don't put them anywhere. It is, same as glass, another devices that was not well thought out. Especially not from a security perspective.
UberGoober
50%
50%
UberGoober,
User Rank: Apprentice
8/27/2013 | 7:08:31 PM
re: Hack My Google Glass: Security's Next Big Worry?
Technologists are too often like lawmakers: "Ooooh, look, I've got this world-changing idea. Lets do it! NOW!!!"

Seldom much of a though of the downsides. You've gotta game the system yourself and think about how people will attack it BEFORE you dump it on the unsuspecting masses. You won't catch everything, but at least you will stop some of the problems before they happen.
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
8/26/2013 | 8:07:08 PM
re: Hack My Google Glass: Security's Next Big Worry?
With all new technology, there are always going to be security risks. With all technology its a constant battle between hackers and the security measures being put up to prevent these hackers. It has always been a back and forth, with every new security measure just proving to be temporary barriers as hackers find new ways around all measures. I'm not saying we shouldn't be taking these concerns seriously, but even if we address current security concerns, there will be more to come.

Jay Simmons
Information Week Contributor
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
8/26/2013 | 7:36:47 PM
re: Hack My Google Glass: Security's Next Big Worry?
I'd worry about device theft before malicious QR codes.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
8/26/2013 | 1:48:28 PM
re: Hack My Google Glass: Security's Next Big Worry?
If mobile devices are going to make autonomous decisions about what network to connect to, first we've got to teach them to be paranoid.
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.