AUGMENTED REALITY EYEWEAR Google Glass was silently patched by the internet giant last month after a flaw was discovered that could have allowed hackers to capture user data sent from the device, mobile security firm Lookout has revealed.
Having worked with Google to find and repair the vulnerability, Lookout said in a blog post today that it reported the bug on 16 May before it was quickly fixed by Google on 4 June, with the update pushed out to all devices.
Google took advantage of Glass' ability to read printed text and QR codes to create an easy way for a user to configure their Glass device without needing a keyboard.
Discovered by Lookout Mobile Security principal security researcher Marc Rogers, the vulnerability that Google patched last month exploited QR codes configured to tell Glass to connect to WiFi Networks or Bluetooth devices.
"We analysed how to make QR codes based on configuration instructions and produced our own 'malicious' QR codes," Rogers said. "When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a 'hostile' WiFi access point that we controlled.
"That access point in turn allowed us to spy on the connections Glass made, from web requests to images uploaded to the Cloud."
Lookout said that the exploit also allowed it to divert Glass to a webpage on the access point containing a known Android 4.0.4 vulnerability that hacked Glass as it browsed the webpage.
Google's patch updated the Glass software so that the camera will only identify QR codes when the user specifically triggers scanning through the settings.
Here's a nifty video made by Lookout to sum up the vulnerability. µ