Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Fixes Glass Vulnerability To Malicious QR Codes

Posted by Unknown on from the look-over-here dept.

judgecorp writes "Google has fixed a vulnerability in its Glass device, which made it possible to fool the wearable gadget into joining malicious Wi-Fi networks, through the use of fake QR codes. Google fixed the flaw fast, following a tip-off from researchers — but there are two warnings to take from this. There are other weaknesses in Glass (such as the absence of a lockscreen), and this sort of weakness will increasingly hit as the Internet of Things takes hold and the number of communicating devices multiplies."

49 of 81 comments (clear)

  1. Only to be expected by Anonymous Coward · · Score: 5, Funny

    I said no good would come of this digital nonsense, we should forget it go back to analog.

    1. Re:Only to be expected by ArcadeMan · · Score: 2

      For what it's worth, let's remember that digital has the word digit in it and analog has the word anal in it.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    2. Re:Only to be expected by PPH · · Score: 1

      Analog is just digital that can't make up its mind.

      --
      Have gnu, will travel.
    3. Re:Only to be expected by FatdogHaiku · · Score: 2

      For what it's worth, let's remember that digital has the word digit in it and analog has the word anal in it.

      Sure, but if you put them together and you get the dreaded "Stinky Pinky"!

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    4. Re:Only to be expected by bmk67 · · Score: 1

      You've got digital in your analog.

      Somewhere in here there's a "Yo, dawg" meme.

      I got nothing.

  2. fake QR by Anonymous Coward · · Score: 5, Informative

    They dont use fake QR but Real QR codes witch lead to a malicous network... fake qr codes Wont work...

    1. Re:fake QR by jeffmflanagan · · Score: 1

      Not really. That's just obvious derp.

    2. Re:fake QR by Lunix+Nutcase · · Score: 2

      But it's still a real QR code. It is malicious but it isn't fake.

    3. Re:fake QR by KingMotley · · Score: 1

      Stop with your silly fake opinions.

  3. @mollycrabapple by jayrtfm · · Score: 5, Funny

    Trolls walk past #GoogleGlass wearers, whisper Image Search Goatse into the glass's mike
      --- @mollycrabapple, after trying on google glass

    1. Re:@mollycrabapple by niftydude · · Score: 4, Funny

      Safesearch on! Safesearch on!

      --
      You can never know everything, and part of what you do know will always be wrong. Perhaps even the most important part.
    2. Re:@mollycrabapple by Anonymous Coward · · Score: 1

      I think "tubgirl" is easier to pronounce and for voice recognition to parse.

  4. QR code, introducing a new generation to hello.jpg by VVelox · · Score: 2

    Any one else ever feel tempted to print up a bunch of QR code patches to direct people to hello.jpg and then slap them all over the place? Especially over the QR code on advertising and the like?

  5. QR sploits by Megane · · Score: 4, Funny

    Automatic QR code scanning... bringing passive execution exploits to the world of paper and ink!

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
    1. Re:QR sploits by 93+Escort+Wagon · · Score: 4, Insightful

      Google has brought Autorun vulns to the mobile world! Innovative!

      That is one of the big issues with devices that, by design, freely offer up information to you rather than wait for you to retrieve it.

      --
      #DeleteChrome
    2. Re:QR sploits by RedBear · · Score: 1

      This autorun vulnerability reminds me quite strongly of a sci-fi novel I read several years back called The Warriors of Dawn, by M. A. Foster. This novel contains three species, one of which is a sort of not super- or subspecies but a kind of "side" species of humans, created by genetic manipulation of the human genome. Another is a subspecies of humans that are kind of kept as slaves or playthings on an alien world. The third is of course, humans.

      In the novel the subspecies (who had of all things the peculiarity of having thick orange fur on their lower legs) had the ability to use a certain device, a "toy", which was kind of described as a complex 3D lattice of thin wires with tiny beads on the wires. When a member of the subspecies looked into the device and tilted it this way and that, the patterns created would somehow interact with their brain structure through the optic nerve, and gave them the ability to answer questions about the future or other such things that seemed to almost violate the laws of causality. If a human looked into the device, all they would get is a vaguely disquieting sensation. It wouldn't work for humans the way it would work for the subspecies, but it was fascinating and difficult to look away once you looked into it.

      Here's the tricky bit. Since the genetically manipulated "side" species had slightly more advanced brains than humans, the protagonists of the novel were able to trick a member of this species into looking into the device and tilting it, whereupon he was instantly transfixed into a mental state he couldn't escape from. In other words the device caused his brain to literally lock up, or "crash".

      Point being, are we on the verge in the next few decades of being able to walk up to someone who has this kind of digital technology highly integrated into their life, show them a certain object or pattern and watch them fall into a coma? Methinks the answer is a rather disturbing "yes". We could end up in the future having an incident where someone creates a malicious pattern that's the equivalent of that Japanese cartoon episode that sent hundreds of children to the hospital, and then rickrolls ten million overly-trusting technology users into epileptic siezures. Many of whom may be doing things like operating moving vehicles at the time of their attack.

      The future could be pretty lame for humanity if we can't learn a lesson as simple as "don't autorun content the user didn't explicitly ask for".

    3. Re:QR sploits by plover · · Score: 1

      More directly, this could be the precursor to Snow Crash.

      --
      John
  6. Real QR Codes by Russ1642 · · Score: 5, Insightful

    They weren't fake magical QR codes. To somehow blame a piece of paper or a billboard for your own terrible code is hilarious.

    1. Re:Real QR Codes by gl4ss · · Score: 2

      They weren't fake magical QR codes. To somehow blame a piece of paper or a billboard for your own terrible code is hilarious.

      yeah.. autorun on qrcodes is a terrible idea. just as terrible idea as auto-open urls.

      also.. uhh.. qrcodes to join networks? ok I can see how that can be useful, go to a bar and just scan the qrcode and you got the local wifi there.. but doing so without asking at all is fucking stupid

      --
      world was created 5 seconds before this post as it is.
  7. Aristoi by abies · · Score: 1

    Reminds me of novel Aristoi where all people were conditioned from childhood to respond in certain ways to complicated hand symbols - allowing ruling elite to paralyze them with hand gesture for example. Yes, having your computer glasses compromised because of looking at malicious picture is still far from having you brain 'hacked', but I hope we will get there soon ;) Next step could be quick-hacking Google Glass v3 (with bone-transmitted headphones and retinal projector) to perform flashbang kind of attack (maximum sound and flash for short moment) when shown police badge upside down.
    And the we would have police pacifying riots using virtual lightningbolts...

    1. Re:Aristoi by Anonymous Coward · · Score: 1

      How about Snow Crash (just as soon as we integrate Google Glass to augment our sensory perception).

    2. Re:Aristoi by Anonymous Coward · · Score: 1

      As a professional political social engineer / marketer, I find it pleasing that you still think we're not hacking your brain. (What do you think is the point of communication then?)
      Please keep thinking that way. Oh, and ALL GLORY TO THE HYPNOTOAD!

    3. Re:Aristoi by b.emile · · Score: 1

      Came here for Snow Crash reference, am not leaving disappointed.

      --
      this space intentionally left blank
    4. Re:Aristoi by eelinow · · Score: 1

      I too came here looking for a Snow Crash reference. Glad to see I am not disappointed. As soon as I saw the headline it was the most immediate thought in my mind.

  8. Just Glass has this problem? by Threni · · Score: 2

    What's special about Google Glass? What about Google Goggles, or indeed any of the various QR scanning apps available? Unless it has an "are you sure you want to visit this site" option (which understands URL shorteners), you're always going to be at risk. Glass owners are always going to be a tiny, tiny, tiny subset of the total number of Android users.

    1. Re:Just Glass has this problem? by Anonymous Coward · · Score: 2, Insightful

      The difference is that with QR scanning apps: you get out your phone, load the app, line up the camera, follow the link, then vomit.
      With Google Glass: you accidentally turn your head toward a code while examining an attractive posterior, then vomit.

    2. Re:Just Glass has this problem? by fuzzyfuzzyfungus · · Score: 2

      Architecturally, anything that scans QR codes(or accepts any other sort of input that isn't trivially human-verifiable beforehand, mag-stripes, NFC, 2d barcodes, whatever).

      In terms of UI/UX constraints, I assume that 'glass' is atypically vulnerable because it has severely limited space(in terms of both screen resolution and user input options) for showing the user the details of what, exactly, a given QR code is going to do and asking them whether they want to do it, which creates an incentive to just do it automatically.

      Any computer can be made to do dumb things based on valid-but-malicious input automatically; but some computers are more equal than others when it comes to being able to inform the user(though user density creates a fundamental upper limit here).

  9. Noise by Anonymous Coward · · Score: 3, Interesting

    Going thru a mall will generate so much scanning noise that you won't be able to look thru the glasses. And it would be a pain to have to confirm everything "Do you want to scan this? Do you want to view that?"

    I have less and less reason to ever get Google Glasses. Sorry Google

  10. Re:QR code, introducing a new generation to hello. by Inda · · Score: 4, Funny

    I think a QR code that directs people to qr.png, which just shows another QR code, would be hilarious.

    Reciprocal QR trolling.

    --
    This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
  11. Re:QR code, introducing a new generation to hello. by Megane · · Score: 1

    Not until you mentioned it. Though I think making them link to goatse would be more appropriate for the /. crowd.

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  12. Re:QR code, introducing a new generation to hello. by VVelox · · Score: 1

    Hello.jpg is the first image for goatse' .

  13. Everything old is new again by Anonymous Coward · · Score: 1

    Remember when we were all up in arms about Microsoft auto-rendering HTML embedded in e-mails with no cecking like 15 years back, and how it was a terrible idea?

    Google apparently doesn't.

    Seamless interaction with third parties vs. Safety from the malicious. Pick one.

  14. Re:QR code, introducing a new generation to hello. by ArcadeMan · · Score: 1

    Even more hilarious, qr.png would have text at the bottom saying "Scan this QR code to claim your prize."

    And make sure that second QR code leads to yet another, ad infinitum, in case you have two people with phones traveling the endless path to nowhere.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  15. XKCD to the rescue... by Anonymous Coward · · Score: 3, Funny

    ...there really seems to be an XKCD for everything:
    http://www.xkcd.com/1237/

  16. Re:Other weaknesses.... by slashmydots · · Score: 1

    You're forgetting the #1 problem. Everyone will hate the wearer, cover their faces, scream at them, and possibly attack the owner.

  17. Looking for Glass by MohitKumar9841 · · Score: 1

    I am also looking for this Google Glass... How can get one easily ?

  18. Re:Oops by lister+king+of+smeg · · Score: 1

    oh no's scary internet tough guy threatens violence and destruction of property as an AC oh nevermind.

    --
    ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
  19. Re:QR code, introducing a new generation to hello. by Megane · · Score: 1

    It's been so long since goatse was new, and I don't exactly check it weekly... or even yearly... I was sure it was "receiver.jpg", but I guess "receiver" was just in the text. (Yes, goatse.cx had text along with that picture.)

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  20. Re:QR code, introducing a new generation to hello. by sjames · · Score: 2

    I think Commander Data once suggested doing that to the Borg.

  21. Only thing using QR codes by flyingfsck · · Score: 1

    Goggle Glass must be the only thing that is actually using QR codes.

    Nothing to see here, please move along.

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
  22. Re:Scroogled again! by Hognoxious · · Score: 1

    My Eyes! The goggles do something! If they did nothing, it would be an improvement!

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  23. Re:Other weaknesses.... by mark-t · · Score: 1

    If somebody wearing equipment that can record you is sufficient reason for you to attack them, then you have anger management issues, and need counselling. That's not a fault in the technology.

    As for the other responses, well, again that's not a flaw in the design of glass... that's a societal issue that arises because of false expectations that people have about privacy in public. If somebody can see you with their eyes in a public place, they are essentially recording you already in their brain, which is conceptually no different from being recorded by a device, unless one has intent to be duplicitous about what it was that they were doing.

    I'm not suggesting that if you're doing nothing wrong you have nothing to hide, because everyone has things that they consider private... but I am saying that by definition "public" and "private" are opposites, and I don't really feel that one should have any expectation of privacy in a place that is open to the public. If one wants privacy, they should go someplace private.

    --
    File under 'M' for 'Manic ranting'
  24. Re:Other weaknesses.... by Mr.+Freeman · · Score: 1

    Also, you look like a prick when wearing them.

    --
    -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
  25. Re:Oops by Hognoxious · · Score: 1

    The sword or the mine?

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  26. Re:Good grief I am so out of date by 0123456 · · Score: 1

    STOP TRYING TO RECREATE THE HELL KNOWN AS MICROSOFT WINDOWS.

    Those who don't understand Windows are doomed to reinvent it, even worse.

  27. Why even use QR codes at all? by sootman · · Score: 1

    In places where they're just used a lot for a bit of text, like a URL, why don't we just agree on a specific shape into which we put plain text to be OCRed? The human can verify it's the information he wants and is expecting before scanning and following a link.

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  28. Re:Other weaknesses.... by mark-t · · Score: 1

    Care to elaborate as to why that's so? You may find, in fact, that such a problem does not lie with a person who wears them at all.

    --
    File under 'M' for 'Manic ranting'
  29. Snow Crash by cpugeniusmv · · Score: 1

    Good thing Glass isn't directly hooked into the brain yet... Is L. Bob Rife running Google now?

  30. Re:Other weaknesses.... by slashmydots · · Score: 1

    Okay, I'll follow you around every second of every day while you're in public with a camera in your face and post it on youtube. Then we'll see if you develop and "anger problem" too.