Sophos Cloud Optix
Critics of Google Glass usually remark on how the device allows its owner to take photos and videos of other people without their knowledge or consent, which has contributed to some backlash, including bans on Glass in some establishments and an alleged assault on a Glass user.
But a spyware app developed by two researchers has shown that Google Glass can be used to secretly take photos of whatever a Glass wearer is looking at without their knowledge – making the Glass user the one whose privacy and security is potentially compromised.
The lens display usually lights up whenever Glass is in use, which is the only way to tell when Glass is on – other than witnessing voice and gesture commands used by the wearer such as “Okay Glass, take a photo.”
However, according to media reports, the app takes a photo every 10 seconds when the display is off, meaning the wearer (or anyone in view of the camera) is unaware that it’s recording.
The app can also access the internet from the user’s Glass connection to upload the images to a server.
If a Glass user were to unknowingly install the app, which the researchers disguised as an app for note-taking called Malnotes, the app’s makers could potentially spy on the user’s activity, their location, who they are with, or even see their passwords as they’re typed.
Fortunately for Glass users, this particular app was developed by a pair of researchers who had no intention of using it to spy on people.
But the proof-of-concept attack shows one potential way for crooks and spies to exploit Glass for nefarious purposes.
It also reveals the potential for similar Glass apps to take photos or videos without the Glass display being lit.
Eye spy
The researchers who developed the spyware, Mike Lady and Kim Paterson, both graduate students at Cal Poly in San Luis Obispo, US, are reportedly the first to create Glass spyware – which came as a surprise to them, and to Google.
Lady told CSO.com:
It was surprising to me, because Google Glass has been out for about a year now, so I would have expected someone to come across this issue and Google to have come out with a fix for it.
The researchers posted the spyware app briefly on the Google Play Store, but it was quickly taken down by Google when the company discovered its existence.
Google found out about Lady and Paterson’s experiment only after their professor tweeted about it. The company insisted on obtaining the source code, which the researchers then provided.
According to a report at Forbes.com, Google’s initial response to hearing of Lady and Paterson’s app was to threaten the researchers for violating the Glass developer terms.
However, Google sounded apologetic and supportive in a brief statement to Forbes acknowledging the legitimacy of the researchers’ work.
Right now Glass is still in an experimental phase, and has not been widely released to consumers. One goal of the Explorer program is to get Glass in the hands of developers so they can hack together features and discover security exploits. We value this kind of security research and feel badly if we came across as overly forceful to the grad students at Cal Poly. All of this work ultimately contributes to making Glass a better and more secure product ahead of a wider consumer launch.
Glass attacks
Google also insists, in a 20 March 2014 post on Google Plus seeking to dispel Glass “myths,” that just because a technology exists (such as facial recognition) does not mean it will be available to users in the MyGlass store.
Google’s developer terms of service ban stealth picture-taking apps for Glass, and Google has stringent controls over the MyGlass app store.
But anyone can install apps designed for Glass using a PC connection and the Android debugging mode, known as “side-loading.”
Android, the popular mobile operating system developed by Google, is at the heart of Glass as well.
Although the debugging mode provides only limited developer access, it has been exploited in Android malware that uses the PC-to-Android connection to infect the Android device with Windows malware.
SophosLabs has seen malware attacking Android devices that sneaks in via the USB connection in debugging mode to install Windows malware that then downloads an Android banking Trojan.
This Android malware allows the attacker to intercept SMS messages in order to steal two-factor authentication codes.
In the case of Glass, the security researchers said that – despite Google’s developer policies against apps that take photos with the display off – there’s nothing in Glass’s software that prevents it from happening.
Another security researcher hacked into Glass’s root, which could allow someone who gets their hands on a Glass (via theft, say) to install any type of software, including spyware or other malware.
The potential for breaches of security and privacy means Glass users should be wary of installing any apps not approved by the MyGlass store, Google says.
Google also advises Glass Explorers (as beta testers of the yet-to-be-released product are called) that they should avoid being “creepy or rude,” among other dos and don’ts of using Glass.
Yes, everybody look at the big “secret spy device” obviously mounted on my head, so you won’t notice me snapping photos with the camera pen in my shirt pocket.
“camera pen”
How last century. *smfh*
Yes, everybody look at the big “secret spy device” obviously held in my hand , so you won’t notice me talking on the phone while the government listens.
Being obvious is the best way to spy in 2014
Yeah because camera pens were connected via wifi to a central server with apps installed that can do various privacy breeches all in a few seconds and display it to your eye without anyone else knowing. Wonderful logic….
It’s actually pretty obvious when the screen is on.
Just because Google doesn’t allow others to exploit these features, doesn’t mean Google won’t.
exactly and that’s the point of the article. The spying is on the user not the other way around
It does rather explain why they were annoyed, and then had a change of heart. Anyway, it’s people like these researchers who will help to make Google glass a success. So, they are helping them to trample on the privacy of others. Personally, I would be happy if the thing got a string of fatal infections that encouraged users to steer well clear of it.
In a few years more people will be wearing the cool Google Glass and, because of Google provided back doors, the NSA will literally have eyes everywhere. The government might even subsidize the price privately to Google to make it extremely affordable to the average person. Glass owners will be unknowing spies for the government.
Agent Smith – “that is the sound of inevitability”.
“Fortunately for Glass users, this particular app was developed by a pair of researchers who had no intention of using it to spy on people.”
How could the author possibly know the researchers intentions? They can’t. I find this assertion troubling, as should any person who recognizes the danger of organizations proclaiming as fact that which they have no way of knowing.
The two researchers clearly did not intend to use the spyware app for malicious purposes. Otherwise, they would not have come forward and would not have given Google access to the code.
If their intention was to spy, wouldn’t it make more sense for them to do so anonymously?
Also, one of the researchers, Kim Paterson, will be starting a job after she graduates at …. Google.
Like the NSA came forward. pffffft
Um, they didn’t come forward, they put the app in the store and their professor ratted them out. THEN they cooperated with dear Google.
When Google uses the researchers’ code to block this type of spy app, their motivation will be moot.
They hid the app, secretly, in the google app store? Maybe they need to take a class in concealment.
I’m one of the researchers mentioned in the article; we have no intention of using this to spy on people, it was merely an exploration of what we can exploit on Glass using Android APIs. If you read the original Forbes article, it explains that this work was done for purely academic reasons.
I don’t trust any of the big name technology companies but I particularly detest Google & Facebook. They are the worst because they outright lie about what they are doing and what their capable of doing with user information.
Yes, Amen to that. I quite Facebook for that very same reason. These people make the Kremlin look honorable. “Detest” is the right word. One day people will wake up to what fools they have been to trust these jerks.
As an update to the “Alleged attack”, the video was released and the Glass wearer was viciously goading the other patrons in the bar and calling them nasty names. You should look it up for clarity on why some are not so keen on being spied on; even openly.
People are stupid
Google is pure evil. They want to create a worldwide network to monitor everything you do or say, and a robot army. They will be more powerful than most – maybe all – nation states.
Do not fall for their power grab.
I think that my wife, who is blind in the right eye and has minimal sight in the left eye, could use Glass ho improve her quality of life. This would take a modified Glass (left eye screen instead of the right eye), and an application that turns the camera on continuous and directly connecting the camera to the screen. I believe that Glass has real potential to help folks who have poor or limited sight.
Yes, I agree. It can probably be done in a legitimate way. But not via Google.
Has anyone ever wondered if a Mega-Tech Company like Google would hire employees to scour the internet looking for bad articles on their technology and then have them post flattering comments in the comment section to deflect the impact of a negative article? Just curious, would a company that has repeatedly lied to users about privacy, ownership of data and complicit in feeding personal user data to the NSA for the purpose of spying on US citizens ever have a department full of employees posting comments on news articles and blog posts to distort the message and ensure a positive image?
Whatcha think Paul? Would a company worth hundreds of billions do that?
…whilst spying on them and trampling all over their rights.
Thanks for this.
Keep in mind that many social groups see little difference between a spy and a journalist. Even a pure journalist steals from their object and sells to the news organization (which can be a propaganda organization)
It think if I was Glass viewing/recording I would want to wear a big hat or shirt with the URL of the free video. The rule is try never to steal an image. Ask to share.
But that’s not exactly “opt in”, is it 🙂 It’s not even “opt out.” In fact, it’s like Google Street View. You know they’re there because their cars are super-obvious, but there’s nothing you can do about it. Well, you can wait until your building appears online and then try to have it removed. Good luck with that.
Google would never take video or photos without the users knowledge right?
Google spokespeople are lying. Of course this will not take photos. Of Course Google will not sell your info for their profit. Of Course not.
Avoid being creepy or rude…yeah, remember when they used to say “Don’t be evil” before handing a bunch of dissident’s info over to the Chinese government. Where are the dissidents now? Surely some completely non-evil coincidence that they’re all gone, right?
Give ’em a shot of WD-40 right in the camera lens! Disables the camera and only burns the eyes for about a month!
Welcome my Son, Welcome to the Machine. & just so we’re clear, you won’t be paid for your service to it.
Google Glass is bringing up an interesting issue that people are missing: that we’ve reached a point in technological development where we seriously need to start asking questions about how new technology is to be implemented. It’s not that we’re “not ready” for Google Glass, it might be that it’s the answer to a question nobody asked.
Of course, this requires some humility and introspection few people possess anymore, let alone technological zealots. Asking questions rather than blindly accepting gets you called a Luddite or somebody who’s just afraid of progress.
The problem is someone has gotten the idea that the old world of privacy, property rights, and plain old ethics don’t apply to new technology.
People think its ok to steal if its on the internet. Someone who would never rip off a blender at JC Penny feels perfectly justified to pirate content online.
I think that the wearers of Google Glasses who act unreasonably should be subject to invasion of privacy lawsuits. Without a doubt. God willing, that day is coming.
Congratulations! You’ve left the most reasonable, non-hysterical, thoughtful comment I’ve ever seen related to Glass. My faith in humanity is restored by .5%!
They seriously call their malicious malware app Malnotes?
Kind of a giveaway, isn’t it?
It wasn’t actually released into the wild, so we weren’t trying to obfuscate anything in actuality. We regret the name nonetheless.
Be careful of statements like this. You can’t upload something to the Play Store and then say “it wasn’t actually released into the wild,” because it jolly well actually was!
I’ll accept that your motivation was decent, even though I haven’t made my mind up yet about the morality of releasing it as you did.
I’m not sure why you “regret the name.” If you’d called it AutoReminder or CoolNotes, that would make it much worse, surely? For me, calling it “Malnotes” is pretty much your saving grace.
What with the blatant disregard for privacy, rampant piracy, and ageism I have to wonder. Are the kids in SIlicon valley brain damaged? No comprehension of right and wrong?
If I saw someone wearing Google Glass looking ay me, it would be the last time that pair of glasses would exist.
The topic is transhumanism.
Google Glass is the first step. The goal is The Borg.
Goggle Glass wearers are fledgling cyborgs, and they’re too flippin’ STOOPID to realize it.
It will be impossible now to keep google glass protected. They will try to patch it but now the door is open and won’t stay closed. Just like Windows, Mac OSX, ios, Linux, and Android try in vain to keep Hackers out. The wearers are now open to the victimization that they once enjoyed putting on others. Poetic justice!
Serves these wearers right. They will spy on the whole world so let them be spied on by the very same device . the irony is delicious.
Of course the “injury to privacy” is transitive – everyone the wearer looks at is being spied on undetectably, too. That’s one of the problems with “serves you right” in computer security. There is often collateral damage, often a lot of it. (Example: Target had a huge problem due to malware. So did 40,000,000 people who shared PII with that network via its payment card machines.)
I would trust Google if their goal really were profit, because in my lexicon “profit” means “a tangible or intangible gain, acquired morally”. That means they would never interact or interfere with me or my property against my will or without my uncoerced permission.
By that definition, I would trust anyone with a profit motive, because their goal is clean, open, and transparent. A truly profitable transaction is always mutual, is always opt-in, and never involves either force or fraud.
Unfortunately, it appears that Google uses a different definition of “profit”, and the same is true of any glasshole who records video of other people or their property without their permission.