Vulnerabilities / Threats
8/23/2013
10:19 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Hack My Google Glass: Security's Next Big Worry?

Wearable computing devices must strike a difficult balance between security and convenience. A recent episode involving Google Glass and malicious QR codes raises questions.

That could eliminate the threat of users being tricked into going to malicious sites, which is a risk facing users of any computing device. "Social engineering will generally be the best way to convince people to give you passwords and money, and there's only so much technology you can put in to stop that," said Rosenberg. Then again, if attackers did begin targeting Glass users en masse with malicious QR codes, it's likely that security firms would advance new types of defenses. "If this starts being an issue, you'd start seeing blacklists in the QR readers themselves," he said.

When it comes to the ongoing challenge posed by QR codes -- attackers may link one to multiple redirects, before ending in a malicious site -- user interface changes could help better secure users. On this front, Rosenberg lauds the Windows Phone 7 interface, which offers built-in QR code scanning -- also of multiple codes at once -- then provides information related to each. "It puts a box around the QR code and shows where it goes," said Rosenberg, who earned a PhD in wearable computing in 1998 and has worked as a mobile user experience designer at Symbian and Nokia. "So if you've got six QR codes it will put six boxes and six explanations of where they go." That means a user, even in a hands-free environment, will be better informed about whether they should browse to the URL on offer.

As that suggests, many of the security problems dogging wearable computers could be fixed with user interface improvements, and by bringing BYOD polices to bear. But voice-activated wearable computing devices still remain at risk from eavesdropping. "Some things are okay, such as 'yes,' 'no,' 'do that,'" Rosenberg said. But too much of those types of voice inputs also raise the question of inappropriate social behavior, with people "bothered by you constantly piping up with random things."

On the upside, information displayed by Google Glass to a user is quite secure, unlike -- for example -- that government employee who's sitting in the airplane row ahead of you with the font size on his BlackBerry cranked up, and the screen inadvertently angled into your field of vision.

But there's a remaining, fundamental problem posed by wearable computers such as Google Glass, which automatically offload much of their processing to the cloud. "If it's recognizing the face of everyone you see, that's being uploaded, because the device isn't doing that locally," said Rosenberg. "So there are huge privacy issues."

Indeed, what's to stop the National Security Agency from automatically recording the identity of everyone that a Google Glass user sees? As always, with wearable computing automation and convenience come at least some security and privacy tradeoffs.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
benjimurphy
50%
50%
benjimurphy,
User Rank: Apprentice
9/12/2013 | 2:22:00 PM
re: Hack My Google Glass: Security's Next Big Worry?
I think that wearable tech will be the future of mobile devices. Maybe it will take 5-10 years, but the technology of size and power are moving in that direction. It still won't change the basic issues currently challenging BYOD and enterprise communication, but I bet these wearable will still need data protection and will have some form of text messaging which will still need security apps like Tigertext to protect and secure that data incase the wearable device is left in the gym locker room or taken from the user.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
8/28/2013 | 11:24:18 AM
re: Hack My Google Glass: Security's Next Big Worry?
I don't think this issue has anything to do with glass, it is about as secure as any other not well thought out computing device. The real issue in this example is the QR code. It is easier to use than typing in a URL, but anyone who uses a QR code blindly trusts some dots in a pattern. With a URL there is a reasonably good chance to see if that URL matches the expected resource.
QR codes are big, they are ugly, and they are dangerous. Don't use them and don't put them anywhere. It is, same as glass, another devices that was not well thought out. Especially not from a security perspective.
UberGoober
50%
50%
UberGoober,
User Rank: Apprentice
8/27/2013 | 7:08:31 PM
re: Hack My Google Glass: Security's Next Big Worry?
Technologists are too often like lawmakers: "Ooooh, look, I've got this world-changing idea. Lets do it! NOW!!!"

Seldom much of a though of the downsides. You've gotta game the system yourself and think about how people will attack it BEFORE you dump it on the unsuspecting masses. You won't catch everything, but at least you will stop some of the problems before they happen.
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
8/26/2013 | 8:07:08 PM
re: Hack My Google Glass: Security's Next Big Worry?
With all new technology, there are always going to be security risks. With all technology its a constant battle between hackers and the security measures being put up to prevent these hackers. It has always been a back and forth, with every new security measure just proving to be temporary barriers as hackers find new ways around all measures. I'm not saying we shouldn't be taking these concerns seriously, but even if we address current security concerns, there will be more to come.

Jay Simmons
Information Week Contributor
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Strategist
8/26/2013 | 7:36:47 PM
re: Hack My Google Glass: Security's Next Big Worry?
I'd worry about device theft before malicious QR codes.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
8/26/2013 | 1:48:28 PM
re: Hack My Google Glass: Security's Next Big Worry?
If mobile devices are going to make autonomous decisions about what network to connect to, first we've got to teach them to be paranoid.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web