13 May 2013

Hackers find hole in Google Glass security

Charles Arthur

 Google Glass, the wearable computer being developed by the search giant, might be a threat to its owners’ privacy because it has no PIN or authentication system, hackers have discovered. 

Jay Freeman, a Santa Barbara-based programmer who specialises in cracking smartphone security for both iPhone and Android devices, discovered that Glass has a “root” capability which can be enabled by attaching it to a desktop computer and running some commands. 

 
That would then give a hacker the ability to take control of the Glass’s output — meaning a hacker could monitor everything the owner was doing from a smartphone in their pocket. 

“Once the attacker has root on your Glass, they have much more power than if they had access to your phone or even your computer: they have control over a camera and a microphone that are attached to your head,” explains Mr. Freeman in a blogpost. 

“A bugged Glass doesn’t just watch your every move: it watches everything you are looking at (intentionally or furtively) and hears everything you do. The only thing it doesn’t know are your thoughts.” He points out that “it knows all your passwords, for example, as it can watch you type them. It even manages to monitor your usage of otherwise safe, old-fashioned technology: it watches you enter door codes, it takes pictures of your keys, and it records what you write using a pen and paper. Nothing is safe once your Glass has been hacked.” Even if the device shows a red light to show others when its video camera is on, a user probably wouldn’t notice it — because the light would be facing away from them. 

Mr. Freeman reckons that about 10 minutes would be enough for a hacker to install a “rooted” version of the software that Glass ships with. “Sadly, due to the way Glass is currently designed, it is particularly susceptible to the kinds of security issues that tend to plague Android devices,” he writes. 

“The one saving grace of Android’s track record on security is that most of the bugs people find in it cannot be exploited while the device is PIN-code locked. Google’s Glass, however, does not have any kind of PIN mechanism: when you turn it on, it is immediately usable.” Mr. Freeman got hold of one of the demonstration units of Glass, and quickly found that there is a “Debug Mode” which lets it connect to computers over a USB connection. That in turn lets anyone who has access to the device to install their own software if they use certain technical tricks. 

He recommends that Glass should have a protection system that functions when it is taken off by the owner, such as a biometric — either using patterns in the iris or voice — or a PIN. 

And for the privacy concerns, both that users have expressed and that Freeman has now opened up, he suggests there would at least be a simple one over worries about the camera: a plastic shield that could slide over the camera. “This makes it clear that ‘I’m not recording right now’,” he suggests.