×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Fixes Glass Vulnerability To Malicious QR Codes

Unknown Lamer posted about 9 months ago | from the look-over-here dept.

Security 81

judgecorp writes "Google has fixed a vulnerability in its Glass device, which made it possible to fool the wearable gadget into joining malicious Wi-Fi networks, through the use of fake QR codes. Google fixed the flaw fast, following a tip-off from researchers — but there are two warnings to take from this. There are other weaknesses in Glass (such as the absence of a lockscreen), and this sort of weakness will increasingly hit as the Internet of Things takes hold and the number of communicating devices multiplies."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

81 comments

Only to be expected (5, Funny)

Anonymous Coward | about 9 months ago | (#44307599)

I said no good would come of this digital nonsense, we should forget it go back to analog.

Re:Only to be expected (0)

Anonymous Coward | about 9 months ago | (#44307693)

I said no good would come of this digital nonsense, we should forget it go back to analog.

Analog is the future, analog is king.

Re:Only to be expected (0)

Anonymous Coward | about 9 months ago | (#44307825)

Google glass: it's like a Segway for your eyes!

Re:Only to be expected (0)

Anonymous Coward | about 9 months ago | (#44308157)

I invented a Segway that only costs $200, never runs out of battery, doesn't fall over if it does, and doubles as an exercise machine. I call it the "BI-CyC LE"'.

Re:Only to be expected (0)

Anonymous Coward | about 9 months ago | (#44308729)

I invented a car that doesn't use a drop of gas! Its cheap and only uses renewable sources. It has two all beef patties, special sauce, lettuce, cheese, pickles, onions on a sesame seed bun.

Re:Only to be expected (2)

ArcadeMan (2766669) | about 9 months ago | (#44308301)

For what it's worth, let's remember that digital has the word digit in it and analog has the word anal in it.

Re:Only to be expected (0)

Anonymous Coward | about 9 months ago | (#44308371)

For what it's worth, let's remember that digital has the word digit in it and analog has the word anal in it.

Digital engineers - always looking for the anal.

Re:Only to be expected (2)

FatdogHaiku (978357) | about 9 months ago | (#44309597)

For what it's worth, let's remember that digital has the word digit in it and analog has the word anal in it.

Sure, but if you put them together and you get the dreaded "Stinky Pinky"!

Re:Only to be expected (1)

bmk67 (971394) | about 9 months ago | (#44311401)

You've got digital in your analog.

Somewhere in here there's a "Yo, dawg" meme.

I got nothing.

Re:Only to be expected (0)

Anonymous Coward | about 9 months ago | (#44308357)

Digital is just an analogue simulation.

fake QR (5, Informative)

Anonymous Coward | about 9 months ago | (#44307617)

They dont use fake QR but Real QR codes witch lead to a malicous network... fake qr codes Wont work...

Re:fake QR (0)

Anonymous Coward | about 9 months ago | (#44307715)

The submitter is a retard... You have to forgive them.

Re:fake QR (0)

Anonymous Coward | about 9 months ago | (#44307747)

They won't use real or fake QR Codes to track open WiFi networks. These glasses will be reporting open WiFi back to the mothership without the need for a van or Google employees (who probably are wearing real QR Codes).

@mollycrabapple (5, Funny)

jayrtfm (148260) | about 9 months ago | (#44307629)

Trolls walk past #GoogleGlass wearers, whisper Image Search Goatse into the glass's mike
  --- @mollycrabapple, after trying on google glass

Re:@mollycrabapple (1)

Anonymous Coward | about 9 months ago | (#44307917)

I think "tubgirl" is easier to pronounce and for voice recognition to parse.

Scroogled again! (-1)

Anonymous Coward | about 9 months ago | (#44307683)

The googles need to be stopped.

QR code, introducing a new generation to hello.jpg (2)

VVelox (819695) | about 9 months ago | (#44307737)

Any one else ever feel tempted to print up a bunch of QR code patches to direct people to hello.jpg and then slap them all over the place? Especially over the QR code on advertising and the like?

Re:QR code, introducing a new generation to hello. (4, Funny)

Inda (580031) | about 9 months ago | (#44307881)

I think a QR code that directs people to qr.png, which just shows another QR code, would be hilarious.

Reciprocal QR trolling.

Re:QR code, introducing a new generation to hello. (1)

ArcadeMan (2766669) | about 9 months ago | (#44308339)

Even more hilarious, qr.png would have text at the bottom saying "Scan this QR code to claim your prize."

And make sure that second QR code leads to yet another, ad infinitum, in case you have two people with phones traveling the endless path to nowhere.

XKCD to the rescue... (3, Funny)

Anonymous Coward | about 9 months ago | (#44308365)

...there really seems to be an XKCD for everything:
http://www.xkcd.com/1237/ [xkcd.com]

Re:XKCD to the rescue... (0)

Anonymous Coward | about 9 months ago | (#44310929)

Curious. If there's an XKCD for everything, why is there any need for new XKCDs?

Re:XKCD to the rescue... (0)

Anonymous Coward | about 9 months ago | (#44311119)

New things require new XKCDs. Perhaps Randall will find a way to make comics regarding future innovations, but for now we are relegated to only having comics about things that exist.

Re:QR code, introducing a new generation to hello. (2)

sjames (1099) | about 9 months ago | (#44308969)

I think Commander Data once suggested doing that to the Borg.

Re:QR code, introducing a new generation to hello. (1)

Megane (129182) | about 9 months ago | (#44307883)

Not until you mentioned it. Though I think making them link to goatse would be more appropriate for the /. crowd.

Re:QR code, introducing a new generation to hello. (1)

VVelox (819695) | about 9 months ago | (#44307941)

Hello.jpg is the first image for goatse' .

Re:QR code, introducing a new generation to hello. (1)

Megane (129182) | about 9 months ago | (#44308919)

It's been so long since goatse was new, and I don't exactly check it weekly... or even yearly... I was sure it was "receiver.jpg", but I guess "receiver" was just in the text. (Yes, goatse.cx had text along with that picture.)

QR sploits (4, Funny)

Megane (129182) | about 9 months ago | (#44307739)

Automatic QR code scanning... bringing passive execution exploits to the world of paper and ink!

Re:QR sploits (0)

Anonymous Coward | about 9 months ago | (#44307767)

Google has brought Autorun vulns to the mobile world! Innovative!

Re:QR sploits (4, Insightful)

93 Escort Wagon (326346) | about 9 months ago | (#44307979)

Google has brought Autorun vulns to the mobile world! Innovative!

That is one of the big issues with devices that, by design, freely offer up information to you rather than wait for you to retrieve it.

Re:QR sploits (1)

RedBear (207369) | about 9 months ago | (#44310237)

This autorun vulnerability reminds me quite strongly of a sci-fi novel I read several years back called The Warriors of Dawn, by M. A. Foster. This novel contains three species, one of which is a sort of not super- or subspecies but a kind of "side" species of humans, created by genetic manipulation of the human genome. Another is a subspecies of humans that are kind of kept as slaves or playthings on an alien world. The third is of course, humans.

In the novel the subspecies (who had of all things the peculiarity of having thick orange fur on their lower legs) had the ability to use a certain device, a "toy", which was kind of described as a complex 3D lattice of thin wires with tiny beads on the wires. When a member of the subspecies looked into the device and tilted it this way and that, the patterns created would somehow interact with their brain structure through the optic nerve, and gave them the ability to answer questions about the future or other such things that seemed to almost violate the laws of causality. If a human looked into the device, all they would get is a vaguely disquieting sensation. It wouldn't work for humans the way it would work for the subspecies, but it was fascinating and difficult to look away once you looked into it.

Here's the tricky bit. Since the genetically manipulated "side" species had slightly more advanced brains than humans, the protagonists of the novel were able to trick a member of this species into looking into the device and tilting it, whereupon he was instantly transfixed into a mental state he couldn't escape from. In other words the device caused his brain to literally lock up, or "crash".

Point being, are we on the verge in the next few decades of being able to walk up to someone who has this kind of digital technology highly integrated into their life, show them a certain object or pattern and watch them fall into a coma? Methinks the answer is a rather disturbing "yes". We could end up in the future having an incident where someone creates a malicious pattern that's the equivalent of that Japanese cartoon episode that sent hundreds of children to the hospital, and then rickrolls ten million overly-trusting technology users into epileptic siezures. Many of whom may be doing things like operating moving vehicles at the time of their attack.

The future could be pretty lame for humanity if we can't learn a lesson as simple as "don't autorun content the user didn't explicitly ask for".

Re:QR sploits (0)

Anonymous Coward | about 9 months ago | (#44310495)

That sounds a lot like the mythical brown note [wikipedia.org] .

Re: QR sploits (0)

Anonymous Coward | about 9 months ago | (#44308629)

Obligatory Schlock Mercenary:
here [schlockmercenary.com]

Real QR Codes (5, Insightful)

Russ1642 (1087959) | about 9 months ago | (#44307785)

They weren't fake magical QR codes. To somehow blame a piece of paper or a billboard for your own terrible code is hilarious.

Re:Real QR Codes (2)

gl4ss (559668) | about 9 months ago | (#44307815)

They weren't fake magical QR codes. To somehow blame a piece of paper or a billboard for your own terrible code is hilarious.

yeah.. autorun on qrcodes is a terrible idea. just as terrible idea as auto-open urls.

also.. uhh.. qrcodes to join networks? ok I can see how that can be useful, go to a bar and just scan the qrcode and you got the local wifi there.. but doing so without asking at all is fucking stupid

Everything old is new again (1)

Anonymous Coward | about 9 months ago | (#44308011)

Remember when we were all up in arms about Microsoft auto-rendering HTML embedded in e-mails with no cecking like 15 years back, and how it was a terrible idea?

Google apparently doesn't.

Seamless interaction with third parties vs. Safety from the malicious. Pick one.

Re:Everything old is new again (0)

Anonymous Coward | about 9 months ago | (#44308759)

You know how google stole a lot of "talent" from Microsoft .... guess who they got.

Aristoi (1)

abies (607076) | about 9 months ago | (#44307801)

Reminds me of novel Aristoi [wikipedia.org] where all people were conditioned from childhood to respond in certain ways to complicated hand symbols - allowing ruling elite to paralyze them with hand gesture for example. Yes, having your computer glasses compromised because of looking at malicious picture is still far from having you brain 'hacked', but I hope we will get there soon ;) Next step could be quick-hacking Google Glass v3 (with bone-transmitted headphones and retinal projector) to perform flashbang kind of attack (maximum sound and flash for short moment) when shown police badge upside down.
And the we would have police pacifying riots using virtual lightningbolts [youtube.com] ...

Re:Aristoi (0)

Anonymous Coward | about 9 months ago | (#44307957)

Or Dune's "Urushnor," although I'm sure you could also find parallels in "Fnord." The wide, wonderful world of "a thing I cannot know" awaits us!

Re:Aristoi (1)

Anonymous Coward | about 9 months ago | (#44308151)

How about Snow Crash (just as soon as we integrate Google Glass to augment our sensory perception).

Re:Aristoi (1)

b.emile (1222958) | about 9 months ago | (#44308893)

Came here for Snow Crash reference, am not leaving disappointed.

Re:Aristoi (1)

eelinow (903408) | about 9 months ago | (#44309843)

I too came here looking for a Snow Crash reference. Glad to see I am not disappointed. As soon as I saw the headline it was the most immediate thought in my mind.

Re:Aristoi (1)

Anonymous Coward | about 9 months ago | (#44308553)

As a professional political social engineer / marketer, I find it pleasing that you still think we're not hacking your brain. (What do you think is the point of communication then?)
Please keep thinking that way. Oh, and ALL GLORY TO THE HYPNOTOAD!

Just Glass has this problem? (2)

Threni (635302) | about 9 months ago | (#44307803)

What's special about Google Glass? What about Google Goggles, or indeed any of the various QR scanning apps available? Unless it has an "are you sure you want to visit this site" option (which understands URL shorteners), you're always going to be at risk. Glass owners are always going to be a tiny, tiny, tiny subset of the total number of Android users.

Re:Just Glass has this problem? (2, Insightful)

Anonymous Coward | about 9 months ago | (#44308005)

The difference is that with QR scanning apps: you get out your phone, load the app, line up the camera, follow the link, then vomit.
With Google Glass: you accidentally turn your head toward a code while examining an attractive posterior, then vomit.

Re:Just Glass has this problem? (2)

fuzzyfuzzyfungus (1223518) | about 9 months ago | (#44308683)

Architecturally, anything that scans QR codes(or accepts any other sort of input that isn't trivially human-verifiable beforehand, mag-stripes, NFC, 2d barcodes, whatever).

In terms of UI/UX constraints, I assume that 'glass' is atypically vulnerable because it has severely limited space(in terms of both screen resolution and user input options) for showing the user the details of what, exactly, a given QR code is going to do and asking them whether they want to do it, which creates an incentive to just do it automatically.

Any computer can be made to do dumb things based on valid-but-malicious input automatically; but some computers are more equal than others when it comes to being able to inform the user(though user density creates a fundamental upper limit here).

Noise (3, Interesting)

Anonymous Coward | about 9 months ago | (#44307807)

Going thru a mall will generate so much scanning noise that you won't be able to look thru the glasses. And it would be a pain to have to confirm everything "Do you want to scan this? Do you want to view that?"

I have less and less reason to ever get Google Glasses. Sorry Google

fros7 4ist?! (-1)

Anonymous Coward | about 9 months ago | (#44307975)

and a5 BSD sinks

Oops (0)

Anonymous Coward | about 9 months ago | (#44308017)

I just accidentally stepped on your Google glasses.

That's what I will do when I see the first wearer of these shit things. You've got my promise.

Re:Oops (0)

Anonymous Coward | about 9 months ago | (#44308253)

Just don't do it in Florida or I'll claim you are attacking be and blow your brains out.

Re:Oops (0)

Anonymous Coward | about 9 months ago | (#44308655)

How will you hit me without your glasses?

Re:Oops (0)

Anonymous Coward | about 9 months ago | (#44310649)

How will you hit me without your glasses?

Hard.

Other weaknesses.... (0)

mark-t (151149) | about 9 months ago | (#44308149)

The glasses do not fold, so they cannot just be put away in your pocket like sunglasses when you don't want to wear them. They come with a case that can keep them pretty safe, but the case won't fit in your pocket.

Battery life is abysmal. On the neighborhood of about 2 hours of use. The very concept of "wearable computing" does sort of lend itself to the notion of devices that can remain turned on at all times, and Glass falls short of this ideal by such a large factor that it is laughable. The battery life needs to be improved by at least a factor of 4.

Re:Other weaknesses.... (1)

slashmydots (2189826) | about 9 months ago | (#44308519)

You're forgetting the #1 problem. Everyone will hate the wearer, cover their faces, scream at them, and possibly attack the owner.

Re:Other weaknesses.... (1)

mark-t (151149) | about 9 months ago | (#44310229)

If somebody wearing equipment that can record you is sufficient reason for you to attack them, then you have anger management issues, and need counselling. That's not a fault in the technology.

As for the other responses, well, again that's not a flaw in the design of glass... that's a societal issue that arises because of false expectations that people have about privacy in public. If somebody can see you with their eyes in a public place, they are essentially recording you already in their brain, which is conceptually no different from being recorded by a device, unless one has intent to be duplicitous about what it was that they were doing.

I'm not suggesting that if you're doing nothing wrong you have nothing to hide, because everyone has things that they consider private... but I am saying that by definition "public" and "private" are opposites, and I don't really feel that one should have any expectation of privacy in a place that is open to the public. If one wants privacy, they should go someplace private.

Re:Other weaknesses.... (1)

slashmydots (2189826) | about 9 months ago | (#44319773)

Okay, I'll follow you around every second of every day while you're in public with a camera in your face and post it on youtube. Then we'll see if you develop and "anger problem" too.

Re:Other weaknesses.... (0)

Anonymous Coward | about 9 months ago | (#44310255)

news at 11, security specialist advice to put do not track sticker on your forehead to avoid this

Re:Other weaknesses.... (1)

Mr. Freeman (933986) | about 9 months ago | (#44310363)

Also, you look like a prick when wearing them.

Re:Other weaknesses.... (1)

mark-t (151149) | about 9 months ago | (#44311915)

Care to elaborate as to why that's so? You may find, in fact, that such a problem does not lie with a person who wears them at all.

Snow Crash? (0)

Anonymous Coward | about 9 months ago | (#44308255)

Sounds familiar.

Glass Hacking (0)

Anonymous Coward | about 9 months ago | (#44308861)

This sort of reminds me of Ghost in the Shell where one of the character's robotic eyes gets hacked.

Good grief I am so out of date (0)

Anonymous Coward | about 9 months ago | (#44309119)

WTF?

The problem was that Google Glass could be told to execute a QR code without the user having to give permission, Marc Rogers, principal security researcher at Lookout, told TechWeekEurope.

Permission issues are mundane. To me, the shocker is that there's such thing as "executing" a QR code, whether there's permission or not. Wearable tech has potential to be very cool, but everything I'm hearing about Glass seems to point toward Google going out of their way to make it suck. The idea that they would ever have it "run" things it sees, whether the user says ok or not, is just staggeringly stupid. Fuck you, Google.

STOP TRYING TO RECREATE THE HELL KNOWN AS MICROSOFT WINDOWS.

Re:Good grief I am so out of date (1)

0123456 (636235) | about 9 months ago | (#44311071)

STOP TRYING TO RECREATE THE HELL KNOWN AS MICROSOFT WINDOWS.

Those who don't understand Windows are doomed to reinvent it, even worse.

Only thing using QR codes (1)

flyingfsck (986395) | about 9 months ago | (#44309443)

Goggle Glass must be the only thing that is actually using QR codes.

Nothing to see here, please move along.

Google Glass and Xbox One are NSA projects (0)

Anonymous Coward | about 9 months ago | (#44309855)

Google is actually the main R+D arm of the NSA, and Google's hardware and software designs are used in the shadow-Google installations used by all intelligence agencies in the West to store and mine the data they gather from their mass surveillance of all electronic traffic.

Google Glass is the other side of the Xbox One. Both are designed to get the sheeple used to 100% video surveillance 100% percent of the time, especially in places the State was previously unable to place their cameras.

Having a private conversation with a group of friends about how much you hate the warmongering Obama? How's that gonna work out when one of you is wearing Google Glass. You are going to have to learn to keep your BIG MOUTHS shut. You are going to learn to keep your opinions to yourself, if those opinions run contrary to the propaganda found in your mainstream media outlets.

Google Glass is designed to close down anti-authoritarian sentiment. The current societal meme is that you won't have a job if you are caught in public with the 'wrong' opinion. But what does 'in public' mean. Microsoft and Google want the sheeple to be taught that EVERYWHERE is public. Your own homes especially.

The 1984 concept of 'Newspeak' was exactly the same idea from a different direction, although present day 'political correctness' is a direct, if limited form of Newspeak. Anyway, Newspeak or Google Glass, the idea is the same- sheeple will be conditioned never to express certain ideas. And the other side of this is that sheeple will desire to be observed giving support to other ideas - concepts they know their masters are pushing (like supporting the war on Eurasia, or cheering same-sex 'marriage').

Interestingly, many US States have laws against 'eavesdropping', but neatly these laws fade away when the bugging device is clearly visible. Google uses the journalist's 'exception' to pound Google Glass into the lives of the sheeple.

It's 2 years time. You are at a big party at some home. Some t**t is there wearing Google Glass. Now, just how free do you think the guests feel to speak or behave in 'party mode'? Yeah, camera phones and Youtube exist today, but a camera phone still requires a purposeful and deliberate act of video filming. Google Glass is an always on surveillance camera. Want an analogy? Google Glass has the same effect, by design, as a parent present at a party for late teens. Except Google turns you ALL into late teens, no matter what your age.

The intent of Google is pure evil. The intent of Microsoft is pure evil. Google Glass, the Xbox One, and Bill Gates' database that records every detail about every child all challenge Humanity to a degree never seen before in our History. We are in times that require a NEW 'Magna Carta' or a new 'US constitution', fundamental responses by meta society that recognise the abuses and attacks against Humanity, and lay down protocols specifically designed to combat the evil actions of entities like Google and Microsoft.

THINK! THINK! Does the age of the computer not change everything? Man has created written systems of laws and guidelines every-time Humanity's progression created new issues that Mankind had to address. Why are we not addressing the problems created by insanely powerful and cheap computers and the accompanying growth of electronic data-storage?

Free speech. Freedom of conscience (that one most of you sheeple don't even understand, but it is even more important than free speech). The right not to be a slave. The right to be given equal treatment. But where's our right to privacy? Where's our right to protect ourselves against the NSA monsters and their partners in Microsoft and Google?

If Obama could, he'd snap his fingers and make all you sheeple slaves, and his circle your masters. This is how people in power think- all of them. We have societal meta-rules to hold back the worst instincts of people like Obama, the Bush's or the Clinton's. Again, why have we NOT adjusted our rulebooks to include the unique issues that only arise when the age of computing reaches its current sophistication?

Targeting of innocent citizens in the name of 'pre-crime' must NEVER happen. Mass surveillance of citizens for the purpose of gathering information about those citizens must NEVER happen. We should have the death penalty for acts of significant corruption by people in high levels of power (this is one thing that China gets very right). Citizens should have the absolute right of privacy in private settings (a right that disappears ONLY if those citizens have willing sought power over others, like politicians or royalty or the senior bosses of Microsoft and Google).

Ordinary people should feel free to express themselves - unpopular opinions should not be crimes or the reason a person ruins their career. Obviously, however, if a person actually and actively seeks to harm others via their opinions, then we enter a different situation, but his has always been the case in Human History.

More serious vulnerabilities (0)

Anonymous Coward | about 9 months ago | (#44309943)

Did they fix the glass's vulnerability to malicious pointy sticks and stones too?

Why even use QR codes at all? (1)

sootman (158191) | about 9 months ago | (#44311165)

In places where they're just used a lot for a bit of text, like a URL, why don't we just agree on a specific shape into which we put plain text to be OCRed? The human can verify it's the information he wants and is expecting before scanning and following a link.

bug found in beta testing shock (0)

Anonymous Coward | about 9 months ago | (#44313343)

so basically the beta testers have found a bug and google fixed it, why is this even being reported as news?

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...