0 Members and 1 Guest are viewing this topic.
With Glass, OCR, the technology that allows a computer to read printed text, comes of age. Every time you take a photograph, Glass looks for data it can recognize–the most obvious are QR codes, a type of barcode that can contain everything from instructions to send an SMS or browse a website to configuration information that change device settings. Google took advantage of this capability to create an easy way for a user to configure their Glass without needing a keyboard.This is where we identified a significant security problem. While it’s useful to configure your Glass QR code and easily connect to wireless networks, it’s not so great when other people can use those same QR codes to tell your Glass to connect to their WiFi Networks or their Bluetooth devices. Unfortunately, this is exactly what we found. We analyzed how to make QR codes based on configuration instructions and produced our own “malicious” QR codes. When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a “hostile” WiFi access point that we controlled. That access point in turn allowed us to spy on the connections Glass made, from web requests to images uploaded to the Cloud. Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability that hacked Glass as it browsed the page.