Google Glass, the wearable computer being developed by the search giant,
might be a threat to its owners’ privacy because it has no PIN or
authentication system, hackers have discovered.
Jay Freeman, a Santa Barbara-based programmer who specialises in
cracking smartphone security for both iPhone and Android devices,
discovered that Glass has a “root” capability which can be enabled by
attaching it to a desktop computer and running some commands.
That would then give a hacker the ability to take control of the Glass’s
output — meaning a hacker could monitor everything the owner was doing
from a smartphone in their pocket.
“Once the attacker has root on your Glass, they have much more power
than if they had access to your phone or even your computer: they have
control over a camera and a microphone that are attached to your head,”
explains Mr. Freeman in a blogpost.
“A bugged Glass doesn’t just watch your every move: it watches
everything you are looking at (intentionally or furtively) and hears
everything you do. The only thing it doesn’t know are your thoughts.” He
points out that “it knows all your passwords, for example, as it can
watch you type them. It even manages to monitor your usage of otherwise
safe, old-fashioned technology: it watches you enter door codes, it
takes pictures of your keys, and it records what you write using a pen
and paper. Nothing is safe once your Glass has been hacked.” Even if the
device shows a red light to show others when its video camera is on, a
user probably wouldn’t notice it — because the light would be facing
away from them.
Mr. Freeman reckons that about 10 minutes would be enough for a hacker
to install a “rooted” version of the software that Glass ships with.
“Sadly, due to the way Glass is currently designed, it is particularly
susceptible to the kinds of security issues that tend to plague Android
devices,” he writes.
“The one saving grace of Android’s track record on security is that most
of the bugs people find in it cannot be exploited while the device is
PIN-code locked. Google’s Glass, however, does not have any kind of PIN
mechanism: when you turn it on, it is immediately usable.” Mr. Freeman
got hold of one of the demonstration units of Glass, and quickly found
that there is a “Debug Mode” which lets it connect to computers over a
USB connection. That in turn lets anyone who has access to the device to
install their own software if they use certain technical tricks.
He recommends that Glass should have a protection system that functions
when it is taken off by the owner, such as a biometric — either using
patterns in the iris or voice — or a PIN.
And for the privacy concerns, both that users have expressed and that
Freeman has now opened up, he suggests there would at least be a simple
one over worries about the camera: a plastic shield that could slide
over the camera. “This makes it clear that ‘I’m not recording right
now’,” he suggests.