July 18, 2013
Online security firm Lookout says the vulnerability — which it discovered in May and Google has since patched — handed hackers the ability to take control of Glass.
“While it’s useful to configure your Glass QR code and easily connect to wireless networks, it’s not so great when other people can use those same QR codes to tell your Glass to connect to their Wi-Fi Networks or their Bluetooth devices,” reads a July 17 blog post by Lookout’s Marc Rogers. “Unfortunately, this is exactly what we found.”
Rogers said the firm discovered how to make QR codes “based on configuration instructions” and then created its own malicious codes.
If a Glass user were to take a picture of the code, the device would silently connect to a “hostile Wi-Fi access point” controlled by Lookout.
“That access point in turn allowed us to spy on the connections Glass made, from Web requests to images uploaded to the Cloud,” Rogers said. “Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 Web vulnerability that hacked Glass as it browsed the page.”