Vulnerabilities / Threats

8/23/2013
10:19 AM
50%
50%

Hack My Google Glass: Security's Next Big Worry?

Wearable computing devices must strike a difficult balance between security and convenience. A recent episode involving Google Glass and malicious QR codes raises questions.

Are wearable computing devices the new big security threat?

That's one question lingering after Lookout Security last month detailed an insidious hack attack against Google Glass: Just by getting Glass to "see" a malicious QR code, an attacker could force a connection to a malicious Wi-Fi or Bluetooth connection, then eavesdrop on all communications. Admittedly, the attack wouldn't have triggered a countdown to global doom, but it did highlight the automated, promiscuous network-connecting habits of mobile devices, Glass included.

Therein lies a problem with wearable computing devices: They lack either physical or virtual keyboards, and thus require a relatively greater degree of automation than your average Android device or iPhone. With that automation, however, comes the risk that the device may automatically do something bad, from either an information security or privacy perspective.

[ Could a kill switch help? The Trouble With Smartphone Kill Switches. ]

In some respects, this is a good problem for the wearable computing field to have. For years, it was hobbled by awkward input mechanisms -- corded keyboards, joysticks, trackballs. But in this age of small, high-speed processors, voice recognition and relatively ubiquitous Internet connectivity, the release of Google Glass inaugurated people literally being able to tell their glasses what to do.

Unfortunately, as the Glass QR vulnerability -- patched by Google in June -- illustrates, wearable computing faces still some tricky security and privacy questions. Furthermore, useful solutions to these problems may not yet be on hand.

One problem is user authentication. For starters, unlike a smartphone, Google Glass doesn't offer access restrictions based on passwords or a PIN. That means a thief could easily access any Google account tied to a stolen device, warns InformationWeek columnist Jerry Irvine, who's a member of the National Cyber Security Task Force. Cue the need for restricting what these "bring your own" (BYOD) devices can do, and when. "If an organization doesn't have a BYOD strategy, the emergence of Glass can be a compelling argument to get one in place," said Irvine, who's also the CIO of Prescient Solutions.

Security managers will have many more options when such devices get rolled out by the IT department and tied to being used in specific environments. For example, Duncan Stewart, a research director at Deloitte, told the BBC that wearable computers could be especially useful for workers in environments that don't currently allow for smartphone use. "Someone driving a forklift in a warehouse can't use a PC or smartphone because they will crash into someone," Stewart said. "But imagine if they can drive around and be able to pinpoint a pallet and then the particular box they need on that pallet."

There are numerous security risks that could be blocked outright in that scenario. "There's a difference between a general use computer and a specialty use computer," Bob Rosenberg, CTO of startup facilities management service BluQRux, said in a phone interview. The latter, notably, can by heavily locked down, for example to only allow a white list of approved apps to be installed, and to block access to any website except for a preapproved list.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jackdon
50%
50%
jackdon,
User Rank: Apprentice
8/16/2014 | 4:51:35 AM
re: Hack My Google Glass: Security's Next Big Worry?
Most of the time I don't make comments on but I'd like to say that this article really forced me to do so. Really nice post! six sigma green belt certification
benjimurphy
50%
50%
benjimurphy,
User Rank: Apprentice
9/12/2013 | 2:22:00 PM
re: Hack My Google Glass: Security's Next Big Worry?
I think that wearable tech will be the future of mobile devices. Maybe it will take 5-10 years, but the technology of size and power are moving in that direction. It still won't change the basic issues currently challenging BYOD and enterprise communication, but I bet these wearable will still need data protection and will have some form of text messaging which will still need security apps like Tigertext to protect and secure that data incase the wearable device is left in the gym locker room or taken from the user.
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
8/28/2013 | 11:24:18 AM
re: Hack My Google Glass: Security's Next Big Worry?
I don't think this issue has anything to do with glass, it is about as secure as any other not well thought out computing device. The real issue in this example is the QR code. It is easier to use than typing in a URL, but anyone who uses a QR code blindly trusts some dots in a pattern. With a URL there is a reasonably good chance to see if that URL matches the expected resource.
QR codes are big, they are ugly, and they are dangerous. Don't use them and don't put them anywhere. It is, same as glass, another devices that was not well thought out. Especially not from a security perspective.
UberGoober
50%
50%
UberGoober,
User Rank: Apprentice
8/27/2013 | 7:08:31 PM
re: Hack My Google Glass: Security's Next Big Worry?
Technologists are too often like lawmakers: "Ooooh, look, I've got this world-changing idea. Lets do it! NOW!!!"

Seldom much of a though of the downsides. You've gotta game the system yourself and think about how people will attack it BEFORE you dump it on the unsuspecting masses. You won't catch everything, but at least you will stop some of the problems before they happen.
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
8/26/2013 | 8:07:08 PM
re: Hack My Google Glass: Security's Next Big Worry?
With all new technology, there are always going to be security risks. With all technology its a constant battle between hackers and the security measures being put up to prevent these hackers. It has always been a back and forth, with every new security measure just proving to be temporary barriers as hackers find new ways around all measures. I'm not saying we shouldn't be taking these concerns seriously, but even if we address current security concerns, there will be more to come.

Jay Simmons
Information Week Contributor
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
8/26/2013 | 7:36:47 PM
re: Hack My Google Glass: Security's Next Big Worry?
I'd worry about device theft before malicious QR codes.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
8/26/2013 | 1:48:28 PM
re: Hack My Google Glass: Security's Next Big Worry?
If mobile devices are going to make autonomous decisions about what network to connect to, first we've got to teach them to be paranoid.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15583
PUBLISHED: 2019-03-25
Cross-Site Scripting (XSS) vulnerability in point_list.php in GNUBOARD5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML via the popup title parameter.
CVE-2017-7340
PUBLISHED: 2019-03-25
A Cross-Site Scripting vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to execute unauthorized code or commands via the applicationSearch parameter in the FortiView functionality.
CVE-2014-9187
PUBLISHED: 2019-03-25
Multiple heap-based buffer overflow vulnerabilities exist in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules, which could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recomme...
CVE-2014-9189
PUBLISHED: 2019-03-25
Multiple stack-based buffer overflow vulnerabilities were found in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules that could lead to possible remote code execution, dynamic memory corruption, or denial of service. Honeywell...
CVE-2019-10044
PUBLISHED: 2019-03-25
Telegram Desktop before 1.5.12 on Windows, and the Telegram applications for Android, iOS, and Linux, is vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if (for example) Latin and Cyrillic characters e...