14 DAY TRIAL // A group of hackers from Netherlands seem to have come up with a way to stream the video recorded with Google Glass to a nearby device via WiFi, without the wearer being able to detect the leak.
According to an article from Volkskrant.nl, an attacker could “use a USB stick to enter a ‘script’ in the glasses at an unguarded moment which then allows them to take control.”
One attack vector presented in the piece of news would be for someone to borrow the wearable from the owner just for a brief examination and surreptitiously hook the stick with the magic code to it in order to gain control over the camera.
“[...]a possible attack scenario could involve a user lending his Glass device to an interested person (a pretty girl in the pub), who then sticks a USB stick into the device when no one is looking.”
Although this may seem plausible, Google Glass technical specifications say that the only USB port available is micro USB, which is used for both charging and connecting to a computer in order to download or upload media content.
As such, the device needs to be connected to a computer in order to deliver the malicious piece of code, an action that would definitely not pass unnoticed by a techy.
However, this does not mean that Google Glass cannot be used for malicious purposes, especially since it is noted that the wearer is not aware of the recording state of the gadget.
Glass provides a live preview of the recorded footage along with an audio notification, which suggests that the malicious code is able to disable these notifications.
Installing a malicious app that could take over the camera of the device is a bit more complicated because it would require side-loading it, an operation that implies connecting the device to a computer, enabling the USB debug mode and using Android Debug Bridge (ADB).
Volkskrant.nl reports that the video hijacking capability of the code was demonstrated by employees at the Nijmegen ICT company Masc and accountancy office Deloitte.
They also say that one of the hackers told them that the code was built in one evening. “We were thinking about worst-case-scenarios with these glasses. We then came up with the idea of someone being able to view what the wearer is watching. This means that you are better off not wearing the glasses when using a cash-point or engaging in other private activities,” the hacker said.
Provided that Google Glass is still in early stage of development and adoption, the methods to achieve this level of privacy invasion also need refining.
However, even at this stage, a device already altered to surreptitiously stream video reaching the target in various ways (as a gift, prize or just lying around in their way with no owner to claim it), can be an efficient attack vector.