Google

Address Google Glass vulnerabilities with these best practices

Google Glass provides interesting potential, but it can also be susceptible to vulnerabilities.

head_smatteson_glass_vulnerable.jpg
I've written about Google Glass on one or two occasions in the past but I keep coming back to it, partially because I find it a fascinating technological subject, but also because it's interesting from a sociological perspective. Google Glass seems to be a topic unevenly divided right down the middle, with people on one side who like it pretty well and people on the other side who abhor the concepts behind this wearable computer interface.

I'm returning to the topic once more to take a look at some security threats which have recently involved Google Glass.

Is it safe?

It's the job of any good system administrator to take all security vulnerabilities seriously, but privately I find a few of these threats to be less significant - not to mention realistic - than others. There are definitely very real and very scary exploits out there which must be patched against, worked around or otherwise blocked off, but others seem more like hype in a sort of "crying wolf" game (the bizarre saga of Adobe patches and the question as to how these products remain in use is a study which I think professional psychiatrists might find engaging).

You know the kind - vulnerabilities that might be able to pull off an obscure code injection "if you're running an unpatched 1.0 .NET version in conjunction with IIS 5 on a beige server with Epson printer drivers and you're wearing a purple shirt on the third Tuesday of the month after you've just had sausage and eggplant pizza with Mountain Dew."

I may sound facetious but I'm pointing out that vulnerabilities should be carefully addressed to determine if and how they might apply to your environment so you can assign a realistic level of severity and a resulting plan for action. For instance, internal test servers on segregated networks without Internet access or other hosts may be patched less frequently than public systems which are wide open to traffic from anywhere on the planet.

A significant vulnerability was discovered by Lookout Mobile Security back in July of 2013 which had the potential to threaten Google Glass devices using Quick Response (QR) codes. This is an example of a threat that constitutes a high priority which really could happen (and was reproduced in a lab).

As a background, a QR code is basically a bar code that can be scanned by a camera which then processes or executes the associated data. As stated below, the QR code in Figure A represents the link to http://en.m.wikipedia.org.

Figure A

a_smatteson_glass_vulnerable.png

At the time the vulnerability was found, Google Glass devices were set to execute QR codes when using the camera feature. This meant they could be forced to connect to a designated Wi-Fi access point or Bluetooth device (such as one owned by an unscrupulous individual) that could be used to view traffic to and from the Glass, or which could send wearers to a certain website (hint: not http://www.disney.com). Another party could actually take full control of the headset if another Android web vulnerability for the 4.0.4 OS happened to be present (Glass runs the Android OS).

The QR code vulnerability was not aimed specifically at Google Glass devices (anything which could scan a QR code then connect to something might also be at risk, which means QR codes should always be approached with caution), but these were especially susceptible due to their habit of automatically processing QR codes. A patch was released to fix this problem.

How do you patch Google Glass?

You don't; Google does it for you via updates which get downloaded and installed on a monthly basis. This could pose concern among users who want to monitor and control exactly what gets put onto their devices. This doesn't mean you should take the opposite approach and feel lackadaisical about the concept of security on a Google Glass device, nor assume Google will just find and fix any problems so you don't have to deal with them. It rarely if ever works like that in the multiverse of technology.

To return to the point, Google released a patch to correct this particular issue in update XE6 for Google Glass so that user approval now has to be granted to act upon QR codes.

But that's not all!

As is always the case with security, that wasn't quite the end of the matter but rather that particular chapter. Symantec recently reported that Google Glass is still vulnerable to a different kind of risk, again involving Wi-Fi networks. Someone could set up another Wi-Fi access point with the same name as one to which you've previously connected with Glass to trick you into connecting to it.

Sounds unlikely? Well, there is even a special access point you can buy called a "WiFi Pineapple" which can impersonate another Wi-Fi device so that when Glass checks to see if that prior network is available the WiFi Pineapple can step up and say "yes, right here!" then permit the connection to itself. WiFi Pineapple does not need to know the name of the intended network. In either of the above scenarios Glass could then be at risk for the same sort of attacks that can arise when connecting to a hostile network, such as sniffing traffic or redirection to malicious sites.

6416118.jpg

No, you didn't misunderstand the last three sentences. The advertising for WiFi Pineapple brags "This simple violation of an inherent trust is what allows the WiFi Pineapple to gain the trust of most nearby wireless devices, putting you in the perfect position. It's Man in the Middle made easy," which is why no link is provided to their product page in this article. It's crucial to be aware that even "trusted" wireless networks might not really be who they say they are.

As with the QR code problem, it's not just Google Glass that is at risk for this sort of thing – any device which connects to a wireless network can be targeted. Furthermore, it's not a quick fix since this automatic reconnection to known networks is a function many users and manufacturers desire for ease of use.

With this in mind, always be skeptical of open networks. If you've connected to a secured network with an encryption password in the past and someone sets up a nearby WiFi Pineapple (or similar device) to pretend to be that network, they won't have the password, so finding the network open when it used to be secured should trigger a red flag. You should only connect to secured networks with the same password you've been privately provided, or, if it has changed, make sure you receive the updated version from a trusted source. A scribbled sign on the door of the coffee shop stating "New Wi-Fi password is "PlsPwnMiN0W" should probably be ignored.

What other possible problems does Glass have?

Google Glass can be "rooted" to gain full access to the device and plant malicious code on it or spy on the data involved (Google even provides instructions on rooting Glass, with the warning that it will void the warranty, in order to restore it to factory defaults). This concept is especially worrisome since Glass doesn't require authentication mechanisms such as a PIN or password - data, settings and the associated Google account could be compromised (however, Google states they intend to address this before Glass becomes more widespread). If your Google Glass is misplaced or subject to theft you can still remove all data from it via your Google account – assuming, of course, it is reachable online.

Priya Viswanathan of mobiledevices.about.com stated in "Will Google Glass be Able to Guarantee Complete Security?" that Google itself has encouraged developers to "hack" the device to learn more about how it works. This means some may find methods to abuse it or target users. Viswanathan stated Google will only allow permitted apps to be deployed to Glass and will "retain complete control on Glass by constantly working to block restricted apps."

Is there some way to monitor and manage Google Glass in the enterprise?

That seems like it should be a no-brainer since device policies are now standard across the IT industry to allow administrators to set security and usage options. However, I'm not able to uncover any trace of such policies just yet. The best I could find was an app called "MyGlass" which allows you to control some Google Glass aspects from your Android device. However, this is really more of a functionality enhancement than a security program. Hopefully Google has something cooking for administrators to control Glass devices down the road.

In summary

Given these issues I recommend the following practices for Google Glass users:

  • Be wary of QR codes, especially if you're being pressured to use them such as for a contest.
  • Don't connect to open networks/only connect to trusted secured networks
  • Protect any associated smartphones (required for Glass to tether with for online access if Wi-Fi isn't available) with a PIN/password.
  • Maintain control of your Glass at all times. If it is lost and returned be prepared to erase it and start over. If it is stolen, wipe it immediately through your Google account.
  • Know what's running on your Glass and only install apps from Google.
  • Keep an eye out for upcoming security changes/improvements and get familiar with them as soon as possible.

Here's an interesting FAQ about Google Glass. It has a security section, though much of it is devoted towards the discussion as to how others are secure from your usage of the device. For the sake of balance, I'll finish with a recommendation that you check out a good read which rounds out the conversation, titled "35 Arguments against Google Glass."

About

Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.

2 comments
Gisabun
Gisabun

Wow! A Google product that has vulnerabilities.... Who would of thought!

wordmanpaul
wordmanpaul

THE Answer to that vulnerability

You mentioned: "....vulnerabilities that might be able to pull off an obscure code injection "if you're running an unpatched 1.0 .NET version in conjunction with IIS 5 on a beige server with Epson printer drivers and you're wearing a purple shirt on the third Tuesday of the month after you've just had sausage and eggplant pizza with Mountain Dew."

--- Answer: NEVER buy Mountain Dew.

Editor's Picks