Researchers at Lookout Security recently found a vulnerability in Google Glass that would allow a third party to take control of the device via a simple QR code. Although it has since been reported and fixed in a software update on June 4, the company is now sharing the details with the world, noting the importance of a higher standard when it comes to security as we continue to make connected devices part of our lives.
According to the company, because Glass doesn’t have a keyboard, it relies on voice commands and its camera as input methods. QR codes have been used by Google Glass for things like changing device settings but apparently the feature was left open to run all sorts of commands in the background.
Using a specially crafted QR code, Lookout says they were able to silently connect to a ‘hostile’ Wi-Fi access point, allowing them to spy on web requests and uploaded images. They were also able to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability and gain control of the device.
Based on its recommendation, Google now limits QR code execution to points where the user has solicited it, according to Lookout. Overall, the security firm was satisfied with Google’s quick response. For its part, while not directly referring to the flaw, Google noted that Glass is currently in limited testing and the idea behind this is to discover how people use the technology and address any vulnerabilities before a commercial launch.