Vulnerabilities / Threats
8/23/2013
10:19 AM
Connect Directly
RSS
E-Mail
50%
50%

Hack My Google Glass: Security's Next Big Worry?

Wearable computing devices must strike a difficult balance between security and convenience. A recent episode involving Google Glass and malicious QR codes raises questions.

That could eliminate the threat of users being tricked into going to malicious sites, which is a risk facing users of any computing device. "Social engineering will generally be the best way to convince people to give you passwords and money, and there's only so much technology you can put in to stop that," said Rosenberg. Then again, if attackers did begin targeting Glass users en masse with malicious QR codes, it's likely that security firms would advance new types of defenses. "If this starts being an issue, you'd start seeing blacklists in the QR readers themselves," he said.

When it comes to the ongoing challenge posed by QR codes -- attackers may link one to multiple redirects, before ending in a malicious site -- user interface changes could help better secure users. On this front, Rosenberg lauds the Windows Phone 7 interface, which offers built-in QR code scanning -- also of multiple codes at once -- then provides information related to each. "It puts a box around the QR code and shows where it goes," said Rosenberg, who earned a PhD in wearable computing in 1998 and has worked as a mobile user experience designer at Symbian and Nokia. "So if you've got six QR codes it will put six boxes and six explanations of where they go." That means a user, even in a hands-free environment, will be better informed about whether they should browse to the URL on offer.

As that suggests, many of the security problems dogging wearable computers could be fixed with user interface improvements, and by bringing BYOD polices to bear. But voice-activated wearable computing devices still remain at risk from eavesdropping. "Some things are okay, such as 'yes,' 'no,' 'do that,'" Rosenberg said. But too much of those types of voice inputs also raise the question of inappropriate social behavior, with people "bothered by you constantly piping up with random things."

On the upside, information displayed by Google Glass to a user is quite secure, unlike -- for example -- that government employee who's sitting in the airplane row ahead of you with the font size on his BlackBerry cranked up, and the screen inadvertently angled into your field of vision.

But there's a remaining, fundamental problem posed by wearable computers such as Google Glass, which automatically offload much of their processing to the cloud. "If it's recognizing the face of everyone you see, that's being uploaded, because the device isn't doing that locally," said Rosenberg. "So there are huge privacy issues."

Indeed, what's to stop the National Security Agency from automatically recording the identity of everyone that a Google Glass user sees? As always, with wearable computing automation and convenience come at least some security and privacy tradeoffs.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
benjimurphy
50%
50%
benjimurphy,
User Rank: Apprentice
9/12/2013 | 2:22:00 PM
re: Hack My Google Glass: Security's Next Big Worry?
I think that wearable tech will be the future of mobile devices. Maybe it will take 5-10 years, but the technology of size and power are moving in that direction. It still won't change the basic issues currently challenging BYOD and enterprise communication, but I bet these wearable will still need data protection and will have some form of text messaging which will still need security apps like Tigertext to protect and secure that data incase the wearable device is left in the gym locker room or taken from the user.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
8/28/2013 | 11:24:18 AM
re: Hack My Google Glass: Security's Next Big Worry?
I don't think this issue has anything to do with glass, it is about as secure as any other not well thought out computing device. The real issue in this example is the QR code. It is easier to use than typing in a URL, but anyone who uses a QR code blindly trusts some dots in a pattern. With a URL there is a reasonably good chance to see if that URL matches the expected resource.
QR codes are big, they are ugly, and they are dangerous. Don't use them and don't put them anywhere. It is, same as glass, another devices that was not well thought out. Especially not from a security perspective.
UberGoober
50%
50%
UberGoober,
User Rank: Apprentice
8/27/2013 | 7:08:31 PM
re: Hack My Google Glass: Security's Next Big Worry?
Technologists are too often like lawmakers: "Ooooh, look, I've got this world-changing idea. Lets do it! NOW!!!"

Seldom much of a though of the downsides. You've gotta game the system yourself and think about how people will attack it BEFORE you dump it on the unsuspecting masses. You won't catch everything, but at least you will stop some of the problems before they happen.
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
8/26/2013 | 8:07:08 PM
re: Hack My Google Glass: Security's Next Big Worry?
With all new technology, there are always going to be security risks. With all technology its a constant battle between hackers and the security measures being put up to prevent these hackers. It has always been a back and forth, with every new security measure just proving to be temporary barriers as hackers find new ways around all measures. I'm not saying we shouldn't be taking these concerns seriously, but even if we address current security concerns, there will be more to come.

Jay Simmons
Information Week Contributor
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
8/26/2013 | 7:36:47 PM
re: Hack My Google Glass: Security's Next Big Worry?
I'd worry about device theft before malicious QR codes.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
8/26/2013 | 1:48:28 PM
re: Hack My Google Glass: Security's Next Big Worry?
If mobile devices are going to make autonomous decisions about what network to connect to, first we've got to teach them to be paranoid.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0607
Published: 2014-07-24
Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file.

CVE-2014-1419
Published: 2014-07-24
Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.

CVE-2014-2360
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage.

CVE-2014-2361
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode.

CVE-2014-2362
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.