I’ve written about
Google Glass on one or two occasions in the past but I keep coming back to it,
partially because I find it a fascinating technological subject, but also
because it’s interesting from a sociological perspective. Google Glass seems to
be a topic unevenly divided right down the middle, with people on one side who
like it pretty well and people on the other side who abhor the concepts behind
this wearable computer interface.

I’m returning to the
topic once more to take a look at some security threats which have recently
involved Google Glass.

Is it safe?

It’s the job of any good
system administrator to take all security vulnerabilities seriously, but
privately I find a few of these threats to be less significant – not to mention
realistic – than others. There are definitely very real and very scary exploits
out there which must be patched against, worked around or otherwise blocked
off, but others seem more like hype in a sort of “crying wolf” game
(the bizarre saga of Adobe patches and the question as to how these products
remain in use is a study which I think professional psychiatrists might find
engaging).

You know the kind –
vulnerabilities that might be able
to pull off an obscure code injection “if you’re running an unpatched 1.0
.NET version in conjunction with IIS 5 on a beige server with Epson printer
drivers and you’re wearing a purple shirt on the third Tuesday of the month
after you’ve just had sausage and eggplant pizza with Mountain Dew.”

I may sound facetious
but I’m pointing out that vulnerabilities should be carefully addressed to
determine if and how they might apply to your environment so you can assign a
realistic level of severity and a resulting plan for action. For instance,
internal test servers on segregated networks without Internet access or other
hosts may be patched less frequently than public systems which are wide open to
traffic from anywhere on the planet.

A significant vulnerability
was discovered by Lookout Mobile Security back in July of 2013 which had the potential to threaten
Google Glass devices using Quick Response (QR) codes. This is an example of a
threat that constitutes a high priority which really could happen (and was
reproduced in a lab).

As a background, a QR
code is basically a bar code that can be scanned by a camera which then
processes or executes the associated data. As stated below, the QR code in Figure A represents the link to http://en.m.wikipedia.org.

Figure A

At the time the
vulnerability was found, Google Glass devices were set to execute QR codes when
using the camera feature. This meant they could be forced to connect to a
designated Wi-Fi access point or Bluetooth device (such as one owned by an
unscrupulous individual) that could be used to view traffic to and from the Glass,
or which could send wearers to a certain website (hint: not http://www.disney.com). Another party could actually take full control of
the headset if another Android web vulnerability for the 4.0.4 OS happened to
be present (Glass runs the Android OS).

The QR code vulnerability
was not aimed specifically at Google Glass devices (anything which could scan a
QR code then connect to something might also be at risk, which means QR codes
should always be approached with caution), but these were especially
susceptible due to their habit of automatically processing QR codes. A patch
was released to fix this problem.

How do you patch Google Glass?

You don’t; Google does
it for you via updates which get downloaded and installed on a monthly basis. This
could pose concern among users who want to monitor and control exactly what
gets put onto their devices. This doesn’t mean you should take the opposite
approach and feel lackadaisical about the concept of security on a Google Glass
device, nor assume Google will just find and fix any problems so you don’t have
to deal with them. It rarely if ever works like that in the multiverse of
technology.

To return to the point, Google
released a patch to correct this particular issue in update XE6 for Google
Glass so that user approval now has to be granted to act upon QR codes.

But that’s not all!

As is always the case
with security, that wasn’t quite the end of the matter but rather that
particular chapter. Symantec
recently reported
that Google Glass is still vulnerable to a different kind of risk, again
involving Wi-Fi networks. Someone could set up another Wi-Fi access point with
the same name as one to which you’ve previously connected with Glass to trick
you into connecting to it.

Sounds unlikely? Well, there
is even a special access point you can buy called a “WiFi Pineapple”
which can impersonate another Wi-Fi device so that when Glass checks to see if
that prior network is available the WiFi Pineapple can step up and say “yes,
right here!” then permit the connection to itself. WiFi Pineapple does not
need to know the name of the intended network. In either of the above scenarios
Glass could then be at risk for the same sort of attacks that can arise when
connecting to a hostile network, such as sniffing traffic or redirection to
malicious sites.

No, you didn’t
misunderstand the last three sentences. The advertising for WiFi Pineapple brags
“This simple violation of an inherent trust is what allows the WiFi
Pineapple to gain the trust of most nearby wireless devices, putting you in the
perfect position. It’s Man in the Middle made easy,” which is why no link
is provided to their product page in this article. It’s crucial to be aware
that even “trusted” wireless networks might not really be who they
say they are.

As with the QR code
problem, it’s not just Google Glass that is at risk for this sort of thing –
any device which connects to a wireless network can be targeted. Furthermore,
it’s not a quick fix since this automatic reconnection to known networks is a
function many users and manufacturers desire for ease of use.

With this in mind,
always be skeptical of open networks. If you’ve connected to a secured network
with an encryption password in the past and someone sets up a nearby WiFi
Pineapple (or similar device) to pretend to be that network, they won’t have
the password, so finding the network open when it used to be secured should
trigger a red flag. You should only connect to secured networks with the same
password you’ve been privately provided, or, if it has changed, make sure you
receive the updated version from a trusted source. A scribbled sign on the door
of the coffee shop stating “New Wi-Fi password is “PlsPwnMiN0W”
should probably be ignored.

What other possible problems does Glass have?

Google Glass can be “rooted”
to gain full access to the device and plant malicious code on it or spy on the
data involved (Google even provides instructions on rooting Glass, with the
warning that it will void the warranty, in order to restore it to factory defaults).
This concept is especially worrisome since Glass doesn’t require authentication
mechanisms such as a PIN or password – data, settings and the associated Google
account could be compromised (however, Google states they intend to address
this before Glass becomes more widespread). If your Google Glass is misplaced
or subject to theft you can still remove all data from it via your Google
account – assuming, of course, it is reachable online.

Priya Viswanathan of
mobiledevices.about.com stated in “Will
Google Glass be Able to Guarantee Complete Security?” that Google itself has encouraged developers
to “hack” the device to learn more about how it works. This means
some may find methods to abuse it or target users. Viswanathan stated Google
will only allow permitted apps to be deployed to Glass and will “retain
complete control on Glass by constantly working to block restricted apps.”

Is there some way to monitor and manage Google Glass in the enterprise?

That seems like it
should be a no-brainer since device policies are now standard across the IT
industry to allow administrators to set security and usage options. However, I’m
not able to uncover any trace of such policies just yet. The best I could find
was an app called “MyGlasswhich
allows you to control some Google Glass aspects from your Android device. However, this is really more of a functionality
enhancement than a security program. Hopefully Google has something cooking for
administrators to control Glass devices down the road.

In summary

Given these issues I
recommend the following practices for Google Glass users:

  • Be wary of QR codes, especially if you’re being pressured to
    use them such as for a contest.
  • Don’t connect to open networks/only connect to trusted
    secured networks
  • Protect any associated smartphones (required for Glass to
    tether with for online access if Wi-Fi isn’t available) with a
    PIN/password.
  • Maintain control of your Glass at all times. If it is lost
    and returned be prepared to erase it and start over. If it is stolen, wipe
    it immediately through your Google account.
  • Know what’s running on your Glass and only install apps from
    Google.
  • Keep an eye out for upcoming security changes/improvements
    and get familiar with them as soon as possible.

Here’s an interesting FAQ about Google Glass. It has a security section,
though much of it is devoted towards the discussion as to how others are secure
from your usage of the device. For
the sake of balance, I’ll finish with a recommendation that you check out a
good read which rounds out the conversation, titled “35 Arguments
against Google Glass.”