If you haven’t heard, Google Glass, the latest gadget from the Silicon Valley giant, has set the media and tech world abuzz, with both admiration and controversy surrounding the device. Google Glass was released to the public last week and combines smartphone technology with wearable glasses that is reminiscent of something seen on Star Trek. Public, in this case, actually means beta testers (called Glass Explorers) who had to apply for the chance to purchase the spectacles in advance by writing a 50 word essay using the hashtag, #ifihadglass. Those chosen had the opportunity to purchase the device for $1,500 USD.
Along with the admiration of a device that appears to do everything, comes controversy. The 8,000 individuals who were able to purchase the device were bound to a restrictive end user license agreement, in which the product would be deactivated and rendered useless if sold, loaned, or transferred to a third party. This was discovered after one winner decided to put his glasses on EBay and was contacted by Google. However, it appears there were no restrictions against modifying or rooting the device other than the loss of warranty and technical support.
Recently, James Freeman, a security researcher from the United States blogged about his acquisition of Google Glass from Google’s headquarters in Mountain View, California. His blog post set the press and Google scrambling after he posted a picture showing that he had rooted the device. Freeman wasn’t part of the Glass Explorer beta test, he simply had the privilege of purchasing the device as an attendee of Google I/O in 2012. His main motivation in purchasing Google Glass was device customization. In order to make customize the device, he had to “jailbreak” or “root” it.
The foundation of Google Glass is Android 4.04. As with any operating system, there are publicly known vulnerabilities and exploits. In this case, the author analyzed an unnamed exploit which relies on a symlink traversal and a race condition to see if he could apply it to Glass. To gain full root access, Freeman realized he needed to open the Debug menu on Glass. The Debug menu is typically locked on smartphones and requires a PIN to access it, but this was not the case with Google Glass. Freeman discovered that the Debug menu on Glass was not locked down and allowed for easy access to the device:
“Even if you wear Glass constantly, you are unlikely to either sleep or shower while wearing it; most people, of course, probably will not wear it constantly: it is likely to be left alone for long periods of time. If you leave it somewhere where someone else can get it, it is easy to put the device into Debug Mode using the Settings panel and then use adb access to launch into a security exploit to get root.
The person doing this does not even need to be left alone with the device: it would not be difficult to use another Android device in your pocket to launch the attack (rather than a full computer). A USB “On-The-Go” cable could connect from your pocket under your shirt to your right sleeve. With only some momentary sleight-of-hand, one could “try on” your Glass, and install malicious software in the process.”
Although the vulnerability in Google Glass allows for anyone with malicious intent to install malware to their heart’s desires, it does require physical access to the device. As those in the security community know, while this vulnerability is a definite flaw security wise, if you can have physical access to a device, it is not completely secure. This is why Linux distributions have a single user mode for forgotten or lost root passwords. If you have physical access to the device or computer, it can be considered insecure.
Wearable devices will give malware authors another avenue to exploit, as evidenced by their transition from desktops to mobile devices. Enterprising and creative malware authors will always try to find a way to exploit a vulnerability in anything, and it will only be a matter of time before it happens.
In theory, Glass or any device that can be worn and used to record at the same time can have security implications. We might not be far away from clever ways for these devices to be used against us. For example, privacy risks such as being recorded inconspicuously wherever you are and theft possibilities, such as having your ATM PIN recorded. These problems just scratch the surface-the list of security concerns might be endless.
Leave a reply