Cracks appear in Google Glass privacy

Lack of PIN or authentication system makes wearable computer vulnerable to hackers

PUBLISHED : Friday, 03 May, 2013, 12:00am
UPDATED : Friday, 03 May, 2013, 3:54am


Google Glass, the wearable computer being developed by the search giant, might be a threat to its owners' privacy because it has no PIN or authentication system, hackers have discovered.

Jay Freeman, a Santa Barbara-based programmer who specialises in cracking smartphone security for both iPhone and Android devices, discovered that Glass has a "root" capability which can be enabled by attaching it to a desktop computer and running some commands.

That would then give a hacker the ability to take control of the Glass's output - meaning a hacker could monitor everything the owner was doing from a smartphone in their pocket.

"Once the attacker has root on your Glass, they have much more power than if they had access to your phone or even your computer: they have control over a camera and a microphone that are attached to your head," Freeman wrote in a blogpost. "A bugged Glass doesn't just watch your every move: it watches everything you are looking at (intentionally or furtively) and hears everything you do. The only thing it doesn't know are your thoughts."

He points out that "it knows all your passwords, for example, as it can watch you type them. It even manages to monitor your usage of otherwise safe, old-fashioned technology: it watches you enter door codes, it takes pictures of your keys, and it records what you write using a pen and paper. Nothing is safe once your Glass has been hacked."

Even if the device shows a red light to show others when its video camera is on, a user probably would not notice it as the light faces away from them.

Freeman said that about 10 minutes would be enough for a hacker to install a "rooted" version of the software that Glass ships with. "Sadly, due to the way Glass is currently designed, it is particularly susceptible to the kinds of security issues that tend to plague Android devices," he wrote. "The one saving grace of Android's track record on security is that most of the bugs people find in it cannot be exploited while the device is PIN-code locked. Google's Glass, however, does not have any kind of PIN mechanism: when you turn it on, it is immediately usable."

Freeman got hold of one of the demonstration units of Glass, and quickly found that there is a "debug mode" which lets it connect to computers over a USB connection. That in turn lets anyone who has access to the device to install their own software if they use certain technical tricks.

He recommended that Glass had a protection system that functions when it is taken off by the owner, such as a biometric - either using patterns in the iris or voice - or a PIN.

Google did not respond to a request for comment.