Google Fixes Glass Vulnerability To Malicious QR Codes

judgecorp writes "Google has fixed a vulnerability in its Glass device, which made it possible to fool the wearable gadget into joining malicious Wi-Fi networks, through the use of fake QR codes. Google fixed the flaw fast, following a tip-off from researchers — but there are two warnings to take from this. There are other weaknesses in Glass (such as the absence of a lockscreen), and this sort of weakness will increasingly hit as the Internet of Things takes hold and the number of communicating devices multiplies."

Only to be expected

[Anonymous Coward]

I said no good would come of this digital nonsense, we should forget it go back to analog.

Re:

[ArcadeMan]

For what it's worth, let's remember that digital has the word digit in it and analog has the word anal in it.

Re:

[FatdogHaiku]

For what it's worth, let's remember that digital has the word digit in it and analog has the word anal in it.

Sure, but if you put them together and you get the dreaded "Stinky Pinky"!

Re:

[bmk67]

You've got digital in your analog.

Somewhere in here there's a "Yo, dawg" meme.

I got nothing.

Re:

[PPH]

Analog is just digital that can't make up its mind.

fake QR

[Anonymous Coward]

They dont use fake QR but Real QR codes witch lead to a malicous network... fake qr codes Wont work...

Re:

[Jeff Flanagan]

Not really. That's just obvious derp.

Re:

[Lunix Nutcase]

But it's still a real QR code. It is malicious but it isn't fake.

Re:

[KingMotley]

Stop with your silly fake opinions.

@mollycrabapple

[jayrtfm]

Trolls walk past #GoogleGlass wearers, whisper Image Search Goatse into the glass's mike
  --- @mollycrabapple, after trying on google glass

Re:@mollycrabapple

[niftydude]

Safesearch on! Safesearch on! [questionablecontent.net]

Re:

[Anonymous Coward]

I think "tubgirl" is easier to pronounce and for voice recognition to parse.

Re:

[Hognoxious]

My Eyes! The goggles do something! If they did nothing, it would be an improvement!

QR code, introducing a new generation to hello.jpg

[VVelox]

Any one else ever feel tempted to print up a bunch of QR code patches to direct people to hello.jpg and then slap them all over the place? Especially over the QR code on advertising and the like?

Re:QR code, introducing a new generation to hello.

[Inda]

I think a QR code that directs people to qr.png, which just shows another QR code, would be hilarious.

Reciprocal QR trolling.

Re:

[ArcadeMan]

Even more hilarious, qr.png would have text at the bottom saying "Scan this QR code to claim your prize."

And make sure that second QR code leads to yet another, ad infinitum, in case you have two people with phones traveling the endless path to nowhere.

XKCD to the rescue...

[Anonymous Coward]

...there really seems to be an XKCD for everything:
http://www.xkcd.com/1237/ [xkcd.com]

Re:

[sjames]

I think Commander Data once suggested doing that to the Borg.

Re:

[Megane]

Not until you mentioned it. Though I think making them link to goatse would be more appropriate for the /. crowd.

Re:

[VVelox]

Hello.jpg is the first image for goatse' .

Re:

[Megane]

It's been so long since goatse was new, and I don't exactly check it weekly... or even yearly... I was sure it was "receiver.jpg", but I guess "receiver" was just in the text. (Yes, goatse.cx had text along with that picture.)

QR sploits

[Megane]

Automatic QR code scanning... bringing passive execution exploits to the world of paper and ink!

Re:QR sploits

[93 Escort Wagon]

Google has brought Autorun vulns to the mobile world! Innovative!

That is one of the big issues with devices that, by design, freely offer up information to you rather than wait for you to retrieve it.

Re:

[RedBear]

This autorun vulnerability reminds me quite strongly of a sci-fi novel I read several years back called The Warriors of Dawn, by M. A. Foster. This novel contains three species, one of which is a sort of not super- or subspecies but a kind of "side" species of humans, created by genetic manipulation of the human genome. Another is a subspecies of humans that are kind of kept as slaves or playthings on an alien world. The third is of course, humans.

In the novel the subspecies (who had of all things the pecul

Re:

[plover]

More directly, this could be the precursor to Snow Crash.

Real QR Codes

[Russ1642]

They weren't fake magical QR codes. To somehow blame a piece of paper or a billboard for your own terrible code is hilarious.

Re:

[gl4ss]

They weren't fake magical QR codes. To somehow blame a piece of paper or a billboard for your own terrible code is hilarious.

yeah.. autorun on qrcodes is a terrible idea. just as terrible idea as auto-open urls.

also.. uhh.. qrcodes to join networks? ok I can see how that can be useful, go to a bar and just scan the qrcode and you got the local wifi there.. but doing so without asking at all is fucking stupid

Everything old is new again

[Anonymous Coward]

Remember when we were all up in arms about Microsoft auto-rendering HTML embedded in e-mails with no cecking like 15 years back, and how it was a terrible idea?

Google apparently doesn't.

Seamless interaction with third parties vs. Safety from the malicious. Pick one.

Aristoi

[abies]

Reminds me of novel Aristoi [wikipedia.org] where all people were conditioned from childhood to respond in certain ways to complicated hand symbols - allowing ruling elite to paralyze them with hand gesture for example. Yes, having your computer glasses compromised because of looking at malicious picture is still far from having you brain 'hacked', but I hope we will get there soon ;) Next step could be quick-hacking Google Glass v3 (with bone-transmitted headphones and retinal projector) to perform flashbang kind of attac

Re:

[Anonymous Coward]

How about Snow Crash (just as soon as we integrate Google Glass to augment our sensory perception).

Re:

[b.emile]

Came here for Snow Crash reference, am not leaving disappointed.

Re:

[eelinow]

I too came here looking for a Snow Crash reference. Glad to see I am not disappointed. As soon as I saw the headline it was the most immediate thought in my mind.

Re:

[Anonymous Coward]

As a professional political social engineer / marketer, I find it pleasing that you still think we're not hacking your brain. (What do you think is the point of communication then?)
Please keep thinking that way. Oh, and ALL GLORY TO THE HYPNOTOAD!

Just Glass has this problem?

[Threni]

What's special about Google Glass? What about Google Goggles, or indeed any of the various QR scanning apps available? Unless it has an "are you sure you want to visit this site" option (which understands URL shorteners), you're always going to be at risk. Glass owners are always going to be a tiny, tiny, tiny subset of the total number of Android users.

Re:

[Anonymous Coward]

The difference is that with QR scanning apps: you get out your phone, load the app, line up the camera, follow the link, then vomit.
With Google Glass: you accidentally turn your head toward a code while examining an attractive posterior, then vomit.

Re:

[fuzzyfuzzyfungus]

Architecturally, anything that scans QR codes(or accepts any other sort of input that isn't trivially human-verifiable beforehand, mag-stripes, NFC, 2d barcodes, whatever).

In terms of UI/UX constraints, I assume that 'glass' is atypically vulnerable because it has severely limited space(in terms of both screen resolution and user input options) for showing the user the details of what, exactly, a given QR code is going to do and asking them whether they want to do it, which creates an incentive to just do i

Noise

[Anonymous Coward]

Going thru a mall will generate so much scanning noise that you won't be able to look thru the glasses. And it would be a pain to have to confirm everything "Do you want to scan this? Do you want to view that?"

I have less and less reason to ever get Google Glasses. Sorry Google

Re:

[Hognoxious]

The sword or the mine?

Re:

[lister king of smeg]

oh no's scary internet tough guy threatens violence and destruction of property as an AC oh nevermind.

Other weaknesses....

[mark-t]

The glasses do not fold, so they cannot just be put away in your pocket like sunglasses when you don't want to wear them. They come with a case that can keep them pretty safe, but the case won't fit in your pocket.

Battery life is abysmal. On the neighborhood of about 2 hours of use. The very concept of "wearable computing" does sort of lend itself to the notion of devices that can remain turned on at all times, and Glass falls short of this ideal by such a large factor that it is laughable. The batt

Re:

[slashmydots]

You're forgetting the #1 problem. Everyone will hate the wearer, cover their faces, scream at them, and possibly attack the owner.

Re:

[mark-t]

If somebody wearing equipment that can record you is sufficient reason for you to attack them, then you have anger management issues, and need counselling. That's not a fault in the technology.

As for the other responses, well, again that's not a flaw in the design of glass... that's a societal issue that arises because of false expectations that people have about privacy in public. If somebody can see you with their eyes in a public place, they are essentially recording you already in their brain, whi

Re:

[slashmydots]

Okay, I'll follow you around every second of every day while you're in public with a camera in your face and post it on youtube. Then we'll see if you develop and "anger problem" too.

Re:

[Mr. Freeman]

Also, you look like a prick when wearing them.

Re:

[mark-t]

Care to elaborate as to why that's so? You may find, in fact, that such a problem does not lie with a person who wears them at all.

Looking for Glass

[Mohit Kumar]

I am also looking for this Google Glass... How can get one easily ?

Re:

[0123456]

STOP TRYING TO RECREATE THE HELL KNOWN AS MICROSOFT WINDOWS.

Those who don't understand Windows are doomed to reinvent it, even worse.

Only thing using QR codes

[flyingfsck]

Goggle Glass must be the only thing that is actually using QR codes.

Nothing to see here, please move along.

Why even use QR codes at all?

[sootman]

In places where they're just used a lot for a bit of text, like a URL, why don't we just agree on a specific shape into which we put plain text to be OCRed? The human can verify it's the information he wants and is expecting before scanning and following a link.

Snow Crash

[cpugeniusmv]

Good thing Glass isn't directly hooked into the brain yet... Is L. Bob Rife running Google now?