July 25, 2013
QualiTest discusses Google Glass and the challenges of security testing with this new technology.
Since Google announced its highly-publicized new technology, Glass, the testing industry has been eager to see what new challenges the world of wearable computers would bring to us. The team responsible for making sure that Glass works to the best of its abilities will have to be incredibly innovative in all aspects of their mobile testing process, from functionality to user acceptance testing. However, surely the most pivotal aspect will be security testing; as Google found out recently, even with only small sample batches of Glass in circulation, security is a clear concern. A bug was recently discovered which would put user information in jeopardy of hacking simply by scanning a bad QR code, one which was maliciously designed to give hackers access to the entire device.
It is painfully clear why fixing this bug was vital to the security of Glass users. The human eye can’t judge the veracity of a QR code, which is only properly read by devices which photograph them and convert the image into data; this means it’s easy for users to fall prey to malicious codes, giving hackers access of our devices. Eric Limer of Gizmodo put this into perspective when he said, “it’s wild to think just looking at the wrong thing could compromise your whole digital life.” Lookout Security brought this bug to Google’s attention, finding they could hack into the devices via QR codes which automatically connected the devices to Wi-Fi networks. From their blog:
We analyzed how to make QR codes based on configuration instructions and produced our own “malicious” QR codes. When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a “hostile” WiFi access point that we controlled. That access point in turn allowed us to spy on the connections Glass made, from web requests to images uploaded to the Cloud. Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability that hacked Glass as it browsed the page.
This bug was reported to Google in mid-May, and a patch fixing it was devised within two weeks. The expedience with which the problem was responded to, on top of the low level of circulation Glass currently enjoys, means that this particular threat was not terribly threatening, necessarily. However, it certainly foreshadows the types of attack that security testers will need to be wary of when these products are more widely used.
Privacy problems are the main concern in relation to wearable computers like Glass; however, they apply not only to users of Glass but even the people around them as well. There is a fine line regarding the privacy of the everyday citizen in this case; a bystander could be photographed or recorded by anyone around them without any sign as obvious as holding up a camera or phone. It’s difficult to accuse or call out people who may be doing this, so it could prove difficult to catch or prosecute them. Similarly, it may be possible that one day hackers could use Glass themselves to hack into other peoples’ devices. A future where the wrong person glancing at your phone could sacrifice your data security and deliver all of your personal information into the hands of a malicious hacker definitely sounds like something out of a sci-fi novel, but theoretically this technology could someday exist. Another concern for when this technology becomes more common will be government restrictions, which will continue the famous debate of the Information Age: privacy vs. censorship. However, this opens up a whole can of worms – especially considering social activism and “Little Brother” surveillance, where the average person polices the behavior of law enforcement officials – which, while interesting, does not necessarily have much to do with security testing.
Undeniably, the future holds many intriguing possibilities for wearable tech such as Google Glass, though some are certainly more fear-inducing than others. It is lucky for those who are currently using or someday hope to use these devices that companies such as Lookout exist to find security bugs before they have time to negatively affect the user experience.