Google fixed a vulnerability that allowed to get full remote access to Glass

The security research company Lookout discovered a vulnerability in Google Glass, which allowed using QR codes to take control of the device, writes The Verge. Google has already fixed the vulnerability, which allowed Lookout to tell the details of how the exploit worked.

Using QR-code, Lookout managed to seamlessly connect Glass to a Wi-Fi access point, which allowed the researchers to view all data coming into and out of the device. Combined with a network vulnerability in Android 4.0.4, the exploit gave researchers complete control over Glass.

The vulnerability was based on how the Glass Glass customization process works. Since such a device as glasses lacks a keyboard and other input devices, you need to take a picture of the prepared QR code with the built-in camera, after which new parameters will be automatically adopted.
')
According to SlashGear, the very fact that the setting occurred automatically - without notifying the user about the definition of the QR-code and changing the parameters - made it possible to use the vulnerability. With the help of reverse engineering of QR codes from Google, it was possible to create your own QR code that would connect the device to the desired Wi-Fi network attacker.

Using the SSLstrip tool, you could then access all Glass network traffic, for example, messages, emails and video calls. It is worth noting that this method relied on a number of factors, and it is unlikely that it could be widely used.



However, it was possible to go even further using the vulnerability in Android 4.0.4, redirect Glass to a page on a wireless access point and fully take control of the device, to the point of intercepting the image from the camera and see what the owner of the glasses sees.

Lookout researchers reported to Google about the vulnerability on May 16, and already on June 4, a corrected XE6 firmware was released, in which the Glass camera recognizes QR codes not automatically, but when the user calls. As they say in Lookout, this was hardly the only vulnerability in Glass, but it is hoped that by the time the device entered the market, it would be thoroughly tested by numerous developers.