back to article Now you can be the NSA: Snoop on a Google Glass hipster with a QR code

A security flaw discovered in Google Glass ultimately allowed miscreants to eavesdrop on the wearer's wireless internet connection - using just a QR code. Mobile security firm Lookout discovered that the techno goggles automatically processed QR codes present anywhere in photographs captured by the built-in camera. The …

COMMENTS

This topic is closed for new posts.
  1. Gordon 10

    Am I the only one

    Who thinks this exploit would be more fun if used to subtly compromise the AR view through the glasses and turn fugly people pretty, milk into beer etc etc.

    1. Anonymous Coward
      Anonymous Coward

      Re: Am I the only one

      Given the level of "cleverness" (almost non-existent), I would expect the sort of carbon unit that would do that to map everything to an image formerly hosted on a certain Christmas Island domain, unlamentedly now defunct.

    2. John 137

      Re: Am I the only one

      All together now, one more time: Glasses do not make an "AR view". They do not fully superimpose over your entire vision. You get a screen in the upper-right portion of your visual field, where the display device sits. It is not physically capable of changing the things you see around you; it could only display a modified version in one small portion of your vision.

      1. Tom Maddox Silver badge
        Stop

        Re: Am I the only one

        All together now, one more time: Glasses do not make an "AR view". They do not fully superimpose over your entire vision. You get a screen in the upper-right portion of your visual field, where the display device sits. It is not physically capable of changing the things you see around you; it could only display a modified version in one small portion of your vision.

        This is true now, but it may not always be so.

  2. Anonymous Coward
    Anonymous Coward

    Fact follows fiction....

    In several SciFi stories, a robot or android gets "pwn3d" simply by looking at some picture, or listening to some sound. I always said to myself "who in their right mind would design a system that would treat untrusted input from the environment as executable instructions?"

    1. Adam T

      Re: Fact follows fiction....

      Miranda

      1. Sir Runcible Spoon
        Joke

        Re: Fact follows fiction....

        rad-nay-decorum-ish...or something

      2. Anonymous Coward
        Anonymous Coward

        Re: Fact follows fiction....

        It was the fruity oaty bars commercial that contained the trigger image.

    2. Ian 55
      WTF?

      Re: Fact follows fiction....

      I remember thinking that people who thought that looking at a picture on their PC could lead to being infected by a virus...

      .. but Microsoft managed to make that possible.

      1. Michael Wojcik Silver badge

        Re: Fact follows fiction....

        I remember thinking that people who thought that looking at a picture on their PC could lead to being infected by a virus... [what?] .. but Microsoft managed to make that possible.

        Plenty of image-rendering libraries have had vulnerabilities that could be triggered by malicious input.1 Obviously that's exacerbated when said library is executing with excessive privilege (unavoidable on platforms with no separation of privilege, and the norm on Windows systems until UAC came along), but troublesome even without it. Microsoft is hardly the only culprit.

        The simple fact of the matter is that untrustworthy input shouldn't be trusted.

        1Integer overflow bugs in C code were particularly common.

    3. Michael Wojcik Silver badge

      Re: Fact follows fiction....

      who in their right mind would design a system that would treat untrusted input from the environment as executable instructions?

      By this criterion a large number of programmers are not in their right minds. Of course that seems entirely plausible.

      But the real problem is not so much explicitly treating untrusted input as executable - it's not handling untrusted input safely in the first place. There are far too many avenues by which malicious input can lead to arbitrary code execution, elevation of privilege, etc, even if the system doesn't treat it as executable. At least since the publication of "Smashing the Stack for Fun and Profit" (1996), if not since the Morris Worm (1988), there's been no excuse for any software developer to be ignorant of the dangers of malicious input. No excuse whatsoever.

  3. J P

    Life imitates art - anyone else ever read Snow Crash..?

    1. Richard Taylor 2
      Happy

      and used

      a few years later in the amusing 'A Quantum Murder' - Hamilton

    2. This post has been deleted by its author

    3. Michael Wojcik Silver badge

      anyone else ever read Snow Crash

      Strangely, no. According to Stephenson, you're the only person who's ever read it.

      (Of course the mimesis in Snow Crash went the other way initially - Stephenson named the novel after his term for a failure mode on the original Mac, where garbage would be written to video memory. In other words, the novel was inspired by system failure due to mishandling incorrect input, rather than the other way around. It's a problem that goes back to the earliest days of automatic computing.)

  4. hugo tyson
    Facepalm

    Langford Fractal Basilisk!

    Excellent, the Langford Fractal Basilisk for teh win! Also used in "The Cassini Division"....

  5. Stuart Van Onselen

    Not much of a fix...

    As others have already pointed out, the real problem is that a simple QR code can reconfigure Glass in the first place.

    So now you have to acknowledge that you want to access a QR code before it is scanned. How will you be able to know when you can or cannot trust a given code?

    Ok, so they probably will have something like the "permissions" on App Store: "This QR Code wants access to your firmware, friends list, bank details, and sexual history. Proceed?" Once (if) Glass goes mainstream, it's going to end up in the hands (or on the temples) of the same class of user who just clicks on "Ok" whenever any dialogue box pops up.

    This is going to be fun...

    1. Michael Wojcik Silver badge

      Re: Not much of a fix...

      This is going to be fun...

      Yeah, except the only victims will be hipster gadget-freak doofuses, which makes it somewhat less entertaining. It's like being able to track the locations of Segway owners. I suppose it would make it easier to avoid them...

      (Kids, lawn, &c.)

  6. HMB

    Doesn't take a Cylon

    It doesn't take a Cylon does it?

    It's a very bad sign when security is this bad on something so obvious, it kind of makes you wonder what the serious stuff looks like.

  7. Stevie

    Bah!

    "grok"

    Bleh.

    Bad enough when this piece of sixties hipsterspeek crops up in human conversation, but to credit equipment with "groking" when the word one would normally use is "recognize" is going too far.

    Next up: Why you and your friends should eat your Googlespex when these wonders of technology inevitably die.

    1. Graham 24

      Re: Bah!

      The word "grok" has specific connotations in the computer world. See http://catb.org/esr/jargon/html/G/grok.html

      1. Stevie

        Re: Bah!

        "The word "grok" has specific blahdribbledrool etc"

        And you think I am unaware of this because...?

        I also know where "cyberspace" comes from, though *everyone* knows you shouldn't use that one now.

        A shame we don't still have AOL to make "grok" geek-unfriendly due to over-use by the hoi-poloi.

        Bleh!

        1. Destroy All Monsters Silver badge
          Thumb Down

          Re: Bah!

          Stevie.

          Schoolyard-level-cool negativists with a thesaurus they can't handle are not welcome here.

          Fuck off.

          1. Anonymous Coward
            Anonymous Coward

            Re: Bah!

            @DAM - I'm with Stevie on this (in intent if not in form). I've never heard anyone use 'grok' in an actual conversation (I decline to add the suitably impressive number of years in the biz because I don't want to trigger a Jake-quake - use your imagination).

            I couldn't imagine using it outside of a Heinlein riff, it would sound like a forced attempt to be cool.

            1. Anonymous Coward
              Anonymous Coward

              Re: Bah!

              Which country do you come from? Some island a little ways of the mainland? I think you'll hear the term "grok" used more frequently in the country where it originated. If the author is from elsewhere, perhaps it is put on. In other parts it is not all too corny, if a bit quaint.

            2. OffBeatMammal

              Re: Bah!

              as an ex denizen of the Microsoft Redmond campus... it's in daily use there, and since leaving MS I've noticed the quickest way to spot a fellow former member of the SteveB army is listen out for that word in a meeting!

        2. C 18
          Headmaster

          Re: Bah!

          >...the hoi-poloi.

          That's 'hoi-poloi' not 'the hoi-poloi', the 'the' is implied...

          1. Michael Wojcik Silver badge

            Re: Bah!

            That's 'hoi-poloi' not 'the hoi-poloi', the 'the' is implied.

            It's "hoi polloi", no hyphen, two l's (rough-breathing, omicron, iota, space, pi, omicron, lambda, lambda, omicron, iota). And the "the" isn't implied; it's explicit. "hoi" is the Greek definite article, masculine plural nominative.

            But thanks for playing.

    2. TeeCee Gold badge
      Facepalm

      Re: Bah!

      I quite like it, but not for the reasons those who use it think. Let's just look at what Heinlein has to say about it:

      ....and it means as little to us (because of our Earthling assumptions) as color means to a blind man.

      Or, in other words, a human using it is the exact equivalent of a five year old saying "fuck". They think it sounds big and clever, but actually have no comprehension of the real meaning.

  8. Yet Another Anonymous coward Silver badge

    Why

    Would anyone bother spying on a Hipster?

  9. Marc Rogers

    Snowcrash

    Yes. It's true. I turned the virus from Snowcrash into a real thing - A malicious image that only infects nerds.

  10. JDX Gold badge

    Only in photos?

    So not automatically as you walk along and catch a QR code in your field of vision... THAT would be proper sci-fi!

    Probably coming soon along with automatically labeling people it recognises in your HUD.

  11. Uncle Siggy

    Getting plastered

    Well, there goes my tattoo idea.

  12. TeeCee Gold badge
    Facepalm

    Already?

    Fairly recently we had a story about miscreants sticking their own QR codes over the real ones on advertising hoardings, to send mug punters to their bent site.

    I opined at the time that, as you have no idea where a QR code goes or what it does until your device interprets it, if you have your device configured to action such without first showing what it's about to do and asking for confirmation you are low-hanging fruit and bloody asking for it.

    I thought that was bleedin' obvious, but it appears that either it isn't or Google are too stupid to spot it.

  13. James Hughes 1

    What is it..

    about limited distribution beta test product that some commenter's here don't understand?

    1. Michael Wojcik Silver badge

      Re: What is it..

      "Limited beta" is no excuse for putting a deliberate, stupid misfeature with a glaringly obvious security hole into a product.

  14. Anonymous Coward
    Anonymous Coward

    Can you use it...

    Can you use it to make the glasses turn off?

    I want a t-shirt.

This topic is closed for new posts.

Other stories you might like