The Internets are abuzz today with news that an enterprising hacker has crafted an exploit worthy of science fiction: By merely showing a special QR code in front of a Google Glass headset they could take control of Glass and reconfigure it to whatever purpose–including malicious ones–they desired.
The hack exploited the fact that Glass’ software constantly samples the view through the camera to look for “interesting” targets in the scene in front of it–a critical trick for the future of AR devices like this. QR codes fall under the “interesting” category, of course, because they can contain encoded rich data that may be a contact, or a URL, or a text message. The malicious QR hack simply subverts this process and takes Glass’s software to a site that compromises its systems.
QR hacks aren’t new, of course, and there have been a handful demonstrated for devices like smartphones before. But in the case of Glass it’s a particularly wicked trick because unlike deliberately pointing a phone at a QR code, the headset is always on the lookout for data like this, and thus the wearer could unwittingly and perhaps even unknowingly expose the device at any moment. It’s even possible to “hijack” an existing QR code with a new coded sticker that links to the hack.
The team behind the hack at security outfit Lookout Mobile have long since alerted Google to the flaw and Google has quickly closed the loophole that enabled this particular exploit. That’s a tribute to Google, and a signal of how seriously it’s taking the user privacy and safety issues that Google Glass may present.
But the news does raise an interesting, and perhaps nerve-wracking problem. This is most definitely not going to be the last Glass hack. The brute-force hack demonstrated here could do all sorts of things such as steal user data, passwords, and similar information from a Glass. But future hacks–achieved through other means, perhaps using loopholes in Wi-Fi or Bluetooth connections or even malicious apps on the owner’s companion smartphone–could be more subtle. Imagine an app that subverts Glass’s navigation alerts, sending users the wrong way for fun, or even for criminal gain. Or how about an exploit that captures images the wearer would rather not be made public?
Hacks on the brain-damaging levels from Neal Stephenson’s novel Snow Crash aren’t possible with Glass, of course, because these were set in a virtual world that mystically affected the user’s brain. There is a chilling similarity of simply glancing at a code to activate the exploit, though. But with wearables certain to expand far beyond Glass’s limited powers in the near future, get ready for some pretty upsetting headlines.
[Image: Flickr user Kema Keur]