Feeds

back to article Now you can be the NSA: Snoop on a Google Glass hipster with a QR code

A security flaw discovered in Google Glass ultimately allowed miscreants to eavesdrop on the wearer's wireless internet connection - using just a QR code. Mobile security firm Lookout discovered that the techno goggles automatically processed QR codes present anywhere in photographs captured by the built-in camera. The barcode- …

COMMENTS

This topic is closed for new posts.
Silver badge

Am I the only one

Who thinks this exploit would be more fun if used to subtly compromise the AR view through the glasses and turn fugly people pretty, milk into beer etc etc.

1
0
Anonymous Coward

Re: Am I the only one

Given the level of "cleverness" (almost non-existent), I would expect the sort of carbon unit that would do that to map everything to an image formerly hosted on a certain Christmas Island domain, unlamentedly now defunct.

4
0

Re: Am I the only one

All together now, one more time: Glasses do not make an "AR view". They do not fully superimpose over your entire vision. You get a screen in the upper-right portion of your visual field, where the display device sits. It is not physically capable of changing the things you see around you; it could only display a modified version in one small portion of your vision.

4
0
Stop

Re: Am I the only one

All together now, one more time: Glasses do not make an "AR view". They do not fully superimpose over your entire vision. You get a screen in the upper-right portion of your visual field, where the display device sits. It is not physically capable of changing the things you see around you; it could only display a modified version in one small portion of your vision.

This is true now, but it may not always be so.

1
0
Anonymous Coward

Fact follows fiction....

In several SciFi stories, a robot or android gets "pwn3d" simply by looking at some picture, or listening to some sound. I always said to myself "who in their right mind would design a system that would treat untrusted input from the environment as executable instructions?"

17
0

Re: Fact follows fiction....

Miranda

3
0
Silver badge
Joke

Re: Fact follows fiction....

rad-nay-decorum-ish...or something

0
0
Bronze badge
WTF?

Re: Fact follows fiction....

I remember thinking that people who thought that looking at a picture on their PC could lead to being infected by a virus...

.. but Microsoft managed to make that possible.

0
2
Bronze badge

Re: Fact follows fiction....

It was the fruity oaty bars commercial that contained the trigger image.

0
0
Bronze badge

Re: Fact follows fiction....

I remember thinking that people who thought that looking at a picture on their PC could lead to being infected by a virus... [what?] .. but Microsoft managed to make that possible.

Plenty of image-rendering libraries have had vulnerabilities that could be triggered by malicious input.1 Obviously that's exacerbated when said library is executing with excessive privilege (unavoidable on platforms with no separation of privilege, and the norm on Windows systems until UAC came along), but troublesome even without it. Microsoft is hardly the only culprit.

The simple fact of the matter is that untrustworthy input shouldn't be trusted.

1Integer overflow bugs in C code were particularly common.

0
0
Bronze badge

Re: Fact follows fiction....

who in their right mind would design a system that would treat untrusted input from the environment as executable instructions?

By this criterion a large number of programmers are not in their right minds. Of course that seems entirely plausible.

But the real problem is not so much explicitly treating untrusted input as executable - it's not handling untrusted input safely in the first place. There are far too many avenues by which malicious input can lead to arbitrary code execution, elevation of privilege, etc, even if the system doesn't treat it as executable. At least since the publication of "Smashing the Stack for Fun and Profit" (1996), if not since the Morris Worm (1988), there's been no excuse for any software developer to be ignorant of the dangers of malicious input. No excuse whatsoever.

0
0
J P

Life imitates art - anyone else ever read Snow Crash..?

7
0
Bronze badge
Happy

and used

a few years later in the amusing 'A Quantum Murder' - Hamilton

0
0

This post has been deleted by its author

Bronze badge

anyone else ever read Snow Crash

Strangely, no. According to Stephenson, you're the only person who's ever read it.

(Of course the mimesis in Snow Crash went the other way initially - Stephenson named the novel after his term for a failure mode on the original Mac, where garbage would be written to video memory. In other words, the novel was inspired by system failure due to mishandling incorrect input, rather than the other way around. It's a problem that goes back to the earliest days of automatic computing.)

0
0
Facepalm

Langford Fractal Basilisk!

Excellent, the Langford Fractal Basilisk for teh win! Also used in "The Cassini Division"....

1
0

Not much of a fix...

As others have already pointed out, the real problem is that a simple QR code can reconfigure Glass in the first place.

So now you have to acknowledge that you want to access a QR code before it is scanned. How will you be able to know when you can or cannot trust a given code?

Ok, so they probably will have something like the "permissions" on App Store: "This QR Code wants access to your firmware, friends list, bank details, and sexual history. Proceed?" Once (if) Glass goes mainstream, it's going to end up in the hands (or on the temples) of the same class of user who just clicks on "Ok" whenever any dialogue box pops up.

This is going to be fun...

2
0
Bronze badge

Re: Not much of a fix...

This is going to be fun...

Yeah, except the only victims will be hipster gadget-freak doofuses, which makes it somewhat less entertaining. It's like being able to track the locations of Segway owners. I suppose it would make it easier to avoid them...

(Kids, lawn, &c.)

0
0
HMB
Bronze badge

Doesn't take a Cylon

It doesn't take a Cylon does it?

It's a very bad sign when security is this bad on something so obvious, it kind of makes you wonder what the serious stuff looks like.

0
1
Silver badge

Bah!

"grok"

Bleh.

Bad enough when this piece of sixties hipsterspeek crops up in human conversation, but to credit equipment with "groking" when the word one would normally use is "recognize" is going too far.

Next up: Why you and your friends should eat your Googlespex when these wonders of technology inevitably die.

2
12

Re: Bah!

The word "grok" has specific connotations in the computer world. See http://catb.org/esr/jargon/html/G/grok.html

7
2
Silver badge

Re: Bah!

"The word "grok" has specific blahdribbledrool etc"

And you think I am unaware of this because...?

I also know where "cyberspace" comes from, though *everyone* knows you shouldn't use that one now.

A shame we don't still have AOL to make "grok" geek-unfriendly due to over-use by the hoi-poloi.

Bleh!

2
9
Silver badge
Thumb Down

Re: Bah!

Stevie.

Schoolyard-level-cool negativists with a thesaurus they can't handle are not welcome here.

Fuck off.

7
3
Anonymous Coward

Re: Bah!

@DAM - I'm with Stevie on this (in intent if not in form). I've never heard anyone use 'grok' in an actual conversation (I decline to add the suitably impressive number of years in the biz because I don't want to trigger a Jake-quake - use your imagination).

I couldn't imagine using it outside of a Heinlein riff, it would sound like a forced attempt to be cool.

2
2
Anonymous Coward

Re: Bah!

Which country do you come from? Some island a little ways of the mainland? I think you'll hear the term "grok" used more frequently in the country where it originated. If the author is from elsewhere, perhaps it is put on. In other parts it is not all too corny, if a bit quaint.

1
1
Gold badge
Facepalm

Re: Bah!

I quite like it, but not for the reasons those who use it think. Let's just look at what Heinlein has to say about it:

....and it means as little to us (because of our Earthling assumptions) as color means to a blind man.

Or, in other words, a human using it is the exact equivalent of a five year old saying "fuck". They think it sounds big and clever, but actually have no comprehension of the real meaning.

2
0
Bronze badge
Headmaster

Re: Bah!

>...the hoi-poloi.

That's 'hoi-poloi' not 'the hoi-poloi', the 'the' is implied...

2
0

Re: Bah!

as an ex denizen of the Microsoft Redmond campus... it's in daily use there, and since leaving MS I've noticed the quickest way to spot a fellow former member of the SteveB army is listen out for that word in a meeting!

0
0
Bronze badge

Re: Bah!

That's 'hoi-poloi' not 'the hoi-poloi', the 'the' is implied.

It's "hoi polloi", no hyphen, two l's (rough-breathing, omicron, iota, space, pi, omicron, lambda, lambda, omicron, iota). And the "the" isn't implied; it's explicit. "hoi" is the Greek definite article, masculine plural nominative.

But thanks for playing.

0
0
Silver badge

Why

Would anyone bother spying on a Hipster?

3
0

Snowcrash

Yes. It's true. I turned the virus from Snowcrash into a real thing - A malicious image that only infects nerds.

0
0
JDX
Gold badge

Only in photos?

So not automatically as you walk along and catch a QR code in your field of vision... THAT would be proper sci-fi!

Probably coming soon along with automatically labeling people it recognises in your HUD.

1
0

Getting plastered

Well, there goes my tattoo idea.

0
0
Gold badge
Facepalm

Already?

Fairly recently we had a story about miscreants sticking their own QR codes over the real ones on advertising hoardings, to send mug punters to their bent site.

I opined at the time that, as you have no idea where a QR code goes or what it does until your device interprets it, if you have your device configured to action such without first showing what it's about to do and asking for confirmation you are low-hanging fruit and bloody asking for it.

I thought that was bleedin' obvious, but it appears that either it isn't or Google are too stupid to spot it.

4
0
Silver badge

What is it..

about limited distribution beta test product that some commenter's here don't understand?

0
0
Bronze badge

Re: What is it..

"Limited beta" is no excuse for putting a deliberate, stupid misfeature with a glaringly obvious security hole into a product.

0
0
Bronze badge

Can you use it...

Can you use it to make the glasses turn off?

I want a t-shirt.

0
0
This topic is closed for new posts.