back to article Ultra-hackable Google Glass could be a security nightmare

Google's high-tech Glass headsets might be a gadget enthusiast's dream, but in their current form they're far too vulnerable to malicious hacking, according to one developer who has had access to the devices. In a lengthy blog post on Tuesday, technology consultant Jay Freeman – who goes by the hacker handle "Saurik" – gave a …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Facepalm

    Stupidest Reg story ever?

    >"To address these concerns, Freeman says he would like to see Google make significant changes to the way Glass is designed, particularly before it is released in a version for consumers."

    D'oh - isn't that the point of releasing a "developer" version, separate from the consumer version?

    1. LarsG
      Meh

      Re: Stupidest Reg story ever?

      So there you have it, someone might hack your Glass and give you the wrong directions, or worse still play you a Justine Beiber video while you are enjoying a coffee and talking to your friends.

      This is truly life threatening.....

    2. Anonymous Coward
      Anonymous Coward

      Re: Stupidest Reg story ever?

      Maybe Google could use the fee they would have paid Microsoft to license Android and buy something more secure like a Windows Phone OS license....

  2. Anonymous Coward
    FAIL

    Nothing to see (as usual?)

    From the same article: "This means that if you leave your device in someone else's hands, and it has an unlocked bootloader, with just a minute alone they can access anything you have stored on it.".

    So how do we unlock the bootloader? That is explained in the same article, and well.. I consider the explanation itself more then enough to label this a "non issue":

    "The most common command to unlock the bootloader is simply "unlock". On most devices that provide this command, a menu will be displayed that explains that by unlocking the bootloader your warranty will be voided, and that it is disrecommended by the manufacturer. It also has a side effect: it will delete all of your personal data stored on the device (I mention this in more detail later, and explain why).".

    For me it's simple.. Leave your device in the hands of a stranger and its contents are in jeopardy, this is the same as with any other mobile device. But the other thing, as can be read here, in order to make this exploit work attackers don't only need physical access but unlock the bootloader as well, which effectively removes all your data. Yet isn't the common idea of an exploit to get their hands on your data first?

    So; don't leave your device with someone you don't trust and all is well. Yet if you happen to do so anyway and they are going to try something nasty chances are high they won't be able to get to your private stuff. Mission accomplished.

    Why not try another article when there are some real exploits to report? At the very least something remote (here's assuming Glass uses wifi and such).

    1. Growler
      Unhappy

      Re: Nothing to see (as usual?)

      What if the hacker doesn't care about the data on your Glass? From the article:

      "An attacker who has installed spyware on your Glass headset could potentially watch you entering door codes, take pictures of your keys, record your PIN as you enter it into a bank teller machine, and intercept everything you type on computer keyboards, including passwords."

  3. Anonymous Coward
    Linux

    <Insert scaremongering Sun headline here>

    'We intentionally left the device unlocked', Neil McAllister April 29 2013

    "Easy root access opens spyware floodgates", Neil McAllister May 01 2013

    What's different between now and last monday to cause such a change of opinion. Where did Google ever claim that the device was unhackable with physical access.

    1. Neil McAllister

      Re: <Insert scaremongering Sun headline here>

      "Where did Google ever claim that the device was unhackable with physical access."

      That old koan that anyone can hack your machine if they have physical access is logical when you're talking about a computer that by rights should be secured behind multiple layers of card key locks, security guards, surveillance cameras and iron cages. But Glass users are going to be taking their devices everywhere -- to work, to school, to restaurants, to bars, to other people's houses. By definition, different rules apply. Glass needs to be at LEAST as secure as an Android phone, but as you'll see if you read the article, at present it's not. Right now, it's hackable in the time it takes you to go to the toilet.

  4. Neil McAllister
    Alert

    The difference...

    The difference between the last story and this one -- and maybe I should have made this more explicit in the story -- is that while Freeman did root his device, he did it WITHOUT unlocking the bootloader. He does explain how to unlock it in his post, but that was NOT how he got into his Glass.

    1. Anonymous Coward
      Stop

      Re: The difference...

      @Neil - but don't you think that ten thousand security flaws are going to show up and (hopefully) be squashed between now and launch - just like other computing devices?

      And post-launch - don't you think Google and others will be looking for bugs and potential hacks and trying to fix them? Just like other computing devices?

      I'm quite certain that these eyeglasses will eventually be hacked to death, and people's entire lives will be stolen out from under them - just like with Android phones and iPhones and every credit card on earth. But I highly doubt that this one hack survives without being addressed all the way up to the date of the consumer Glass launch.

      1. Neil McAllister

        Re: The difference...

        I don't know. Why do you expect me to be able to answer these questions today? When someone answers them, I'll let you know. In the meantime, are you telling me you think the right approach is to ignore the issue? That attitude seems strange to me.

        1. Eponymous Cowherd
          Thumb Down

          Re: The difference...

          "are you telling me you think the right approach is to ignore the issue? "

          No, the correct approach is to report it without the lurid "we're all gonna die" headline. A security issue in a developer preview model is no biggie and uncovering such is a major reason for having such preview devices.

          1. sabroni Silver badge
            Stop

            @Eponymous Cowherd

            >> the correct approach is to report it without the lurid "we're all gonna die" headline <<

            No. Stupid headlines are part of this site. If you don't like them, don't read them. I think they're one of the best things about the Register, I particularly enjoy the way they get various fanboys in a lather...

        2. Anonymous Coward
          Anonymous Coward

          Re: The difference...

          > In the meantime, are you telling me you think the right approach is to ignore the issue? That attitude seems strange to me.

          Locking up the developer edition of Glass tighter than a gimp's codpiece is pretty much the stupidest and most counter-productive thing that Google could do; it would mean the developers couldn't develop.

  5. Anonymous Coward
    Anonymous Coward

    Neil McAllister is on to something here.

    I can see a whole string of articles emerging. Perhaps the next one could be:

    "Oh my God. If I let a stranger have access to my credit card he can copy the digits and order expensive stuff online. This is a major security failure with credit cards, and they need to tighten up their security model before they issue any more!"

  6. Andrew Jones 2

    Um..... it's a developer prototype......

    Also - sorry but if there was some spyware "bugging" the Glass camera and Microphone.... the give-away to the user would be how quickly the battery runs down, it never ceases to amaze me how people in the tech blogging industry don't seem to appreciate this fundamental fact - battery technology is terrible and it has been for years and according to battery makers - there is nothing on the horizon that is going to change this fact - using the camera and/or microphone costs battery life, in terms of the camera - quite a bit of battery life, then we need to consider the fact of storage - is the non-existent spyware going to record locally and then upload or just broadcast it live - both solutions require a crap load of bandwidth and no matter what radio the device uses, both will have another significant battery cost.

    1. Anonymous Coward
      Anonymous Coward

      How does the fact the battery will drain quickly protect you?

      I know plenty of people who have all sorts of different makes and models of phones who complain that their battery life has recently become much worse. Are they supposed to jump to the conclusion that someone hacked it and they are being spied upon? Or the more likely conclusions of it being:

      1) buggy software

      2) battery getting old

      3) in their head

      If you hack it, presumably you don't have it recording video all the time if the battery (and memory) won't last long enough. Depending on your goals, you may have it only record audio/video during certain circumstances. If your goal is corporate espionage, perhaps it only records video while connected to the office wireless. If you suspect your spouse of cheating, you don't need constant video, one pic every few minutes or so would be sufficient to tell where they are and who they are with at all times.

    2. Nick L
      FAIL

      No battery development on horizon? Try Aluminium Air batteries...

      Battery life will improve: there's huge R&D funds being thrown at it, and it seems a breakthrough is just about ready. Aluminium air batteries have recently been demonstrated, and if the small issue of them being highly dangerous can be solved then all is good.

      Storage? Well, it seems that for glass to be useful it needs to be connected, so...

      And whilst this is a developer device, it gives a clear indication on what the consumer device will be - if it comes at all.

  7. Anonymous Coward
    Thumb Up

    Shooting the messenger

    Neil McAllister is getting a lot of stick here for 'stating the obvious', but isn't raising serious issues with technology one of the most useful functions of technology sites?

    Not everyone is so enamoured of these things that they know everything about them and the issues they raise, so it's helpful to have someone lay it all out.

  8. This post has been deleted by its author

  9. Anonymous Coward
    Anonymous Coward

    Spyware?

    As in "I spy with my^H^Hyour little eye^H^H^Hglasses" I assume

    1. Anonymous Coward
      Anonymous Coward

      Re: Spyware?

      It's making the Google Homeview idea come true.. No doubt we will get an "Oops, we did it again" apology from Google when it emerges later that an engineer had "entirely accidentally" smuggled in a face recognition app and a layout scanner that documented the inside of every house visited by a Goggle wearer, and it now humbly offered to blank out faces.

      For only 95% of people.

      And leave the house data intact.

      Oh, and by mere coincidence a Google back end was ready to receive that data and process it.

      Anyone who tries to enter my place with one of those damn things will be asked to leave, and not return. No exceptions. So I hope someone manages to sell one to my mother in law :)

  10. Crisp

    Being able to root my own device is a good thing.

    I've found it's the only way to take advantage of the hardware sometimes.

    1. MacGyver
      Facepalm

      Re: Being able to root my own device is a good thing.

      I completely agree.

      It's also the only thing that will let Glass1.0 owners install the software from Glass2.0 after the manufacture abandons us, like they always do. I buy phones and tablet based upon their ability to be rooted and the bootloader unlocked. I pick the one with an available root exploit if given a choice.

      If you give your device to a friend and they hack it to spy on you, then you need better friends, not a better security policy.

  11. Andy Fletcher

    I let someone have unrestricted access to a five pound note once

    They were able to seize control of the device and used it to purchase a wank mag without my knowledge.

    Then it occurred to me to be more careful with my personal possessions and it didn't happen again. Phew!

  12. Colin Miller

    Easy security fix

    Take of your GoogleSpecs when you enter sensitive information.

    1. M7S

      Re: Easy security fix

      Unfortunately if users (as I assume they will eventually be able to) needing prescription lenses to see clearly have these integrated, that might not be an option. One could carry around a "dumb" pair of glasses and I expect many employers might well insist on this for work time but if you're the sort of person who'd wear google glasses in their own time then you've every instance of needing to enter the pin at the Tesco checkout or unlocking your smartphone (with the 2 minute autolock that we're all advised to have) when you want to reply to a text or something and quickly it will become too tiresome to do this.

  13. Havin_it
    Pint

    Or...

    If I allow untrusted people access to my phone/gizmo, maybe they'll just, I dunno...

    Nick it?

    You can argue what's worse all you like, but if you leave a few hundred quid's worth of electronica on a pub table while you penguin it to the bogs, then that's the most likely outcome I can see, and the most immediately aggravating.

  14. WynP

    I sense a film series in the making...

    Could the first title be "Fractured Glass"?

    When will developers ever learn from history?

    1. Jason Bloomberg Silver badge
      Boffin

      Re: I sense a film series in the making...

      Could the first title be "Fractured Glass"?

      I would guess more likely "Fractured Ass" given the Gonzo Porn industry is likely to be the most interested in making films captured from Google Glasses.

  15. Nifty Silver badge
    Pirate

    Virus in the corner of my eye

    "It reminds me of the guy in The Diamond Age who got infected by a virus that made him see Indian TV ads in the corner of his eyes 24/7, and he eventually went insane and killed himself"

    Talking about Neal Stephenson's book the Diamond Age written 18 years ago.

    http://www.stupidamericantourist.com/?tag=the-diamond-age

    http://en.wikipedia.org/wiki/The_Diamond_Age

    We are one step closer

  16. Falon

    For the funny side of the Hack google ... WBGA Deep...over 18s?

This topic is closed for new posts.

Other stories you might like