Researchers at mobile security firm Lookout discovered a security flaw in Google Glass which allowed them to capture data without the user's knowledge, when the user merely took a photo that captured a malicious QR code.
Lookout was able to force Google Glass to silently connect to a Wi-Fi access point, which let the researchers view all of the data flowing to and from the device. When combined with an Android 4.0.4 web vulnerability, the hack apparently gave researchers full control of the Glass headset.
The problem was that Google Glass could be told to execute a QR code without the user having to give permission. Because of Glass's limited user interface, Google set up the device's camera to automatically process any QR code in a photograph.
In a video posted on YouTube, Lookout Security described the vulnerability:
"That access point in turn allowed us to spy on the connections Glass made, from web requests to images uploaded to the Cloud." said Marc Rogers, Lookout.
Lookout disclosed its findings to Google on 16 May. Google filed a bug report with the Glass development team and the issue was fixed by version XE6, released on 4 June.
Lookout disclosed its findings to Google on 16 May. Google filed a bug report with the Glass development team and the issue was fixed by version XE6, released on 4 June.