Spyware app turns the privacy tables on Google Glass wearers

Google GlassCritics of Google Glass usually remark on how the device allows its owner to take photos and videos of other people without their knowledge or consent, which has contributed to some backlash, including bans on Glass in some establishments and an alleged assault on a Glass user.

But a spyware app developed by two researchers has shown that Google Glass can be used to secretly take photos of whatever a Glass wearer is looking at without their knowledge – making the Glass user the one whose privacy and security is potentially compromised.

The lens display usually lights up whenever Glass is in use, which is the only way to tell when Glass is on – other than witnessing voice and gesture commands used by the wearer such as “Okay Glass, take a photo.”

However, according to media reports, the app takes a photo every 10 seconds when the display is off, meaning the wearer (or anyone in view of the camera) is unaware that it’s recording.

The app can also access the internet from the user’s Glass connection to upload the images to a server.

If a Glass user were to unknowingly install the app, which the researchers disguised as an app for note-taking called Malnotes, the app’s makers could potentially spy on the user’s activity, their location, who they are with, or even see their passwords as they’re typed.

Fortunately for Glass users, this particular app was developed by a pair of researchers who had no intention of using it to spy on people.

But the proof-of-concept attack shows one potential way for crooks and spies to exploit Glass for nefarious purposes.

It also reveals the potential for similar Glass apps to take photos or videos without the Glass display being lit.

Eye spy

The researchers who developed the spyware, Mike Lady and Kim Paterson, both graduate students at Cal Poly in San Luis Obispo, US, are reportedly the first to create Glass spyware – which came as a surprise to them, and to Google.

Lady told CSO.com:

It was surprising to me, because Google Glass has been out for about a year now, so I would have expected someone to come across this issue and Google to have come out with a fix for it.

The researchers posted the spyware app briefly on the Google Play Store, but it was quickly taken down by Google when the company discovered its existence.

Google found out about Lady and Paterson’s experiment only after their professor tweeted about it. The company insisted on obtaining the source code, which the researchers then provided.

According to a report at Forbes.com, Google’s initial response to hearing of Lady and Paterson’s app was to threaten the researchers for violating the Glass developer terms.

However, Google sounded apologetic and supportive in a brief statement to Forbes acknowledging the legitimacy of the researchers’ work.

Right now Glass is still in an experimental phase, and has not been widely released to consumers. One goal of the Explorer program is to get Glass in the hands of developers so they can hack together features and discover security exploits. We value this kind of security research and feel badly if we came across as overly forceful to the grad students at Cal Poly. All of this work ultimately contributes to making Glass a better and more secure product ahead of a wider consumer launch.

Glass attacks

Google also insists, in a 20 March 2014 post on Google Plus seeking to dispel Glass “myths,” that just because a technology exists (such as facial recognition) does not mean it will be available to users in the MyGlass store.

Google’s developer terms of service ban stealth picture-taking apps for Glass, and Google has stringent controls over the MyGlass app store.

Google GlassBut anyone can install apps designed for Glass using a PC connection and the Android debugging mode, known as “side-loading.”

Android, the popular mobile operating system developed by Google, is at the heart of Glass as well.

Although the debugging mode provides only limited developer access, it has been exploited in Android malware that uses the PC-to-Android connection to infect the Android device with Windows malware.

SophosLabs has seen malware attacking Android devices that sneaks in via the USB connection in debugging mode to install Windows malware that then downloads an Android banking Trojan.

This Android malware allows the attacker to intercept SMS messages in order to steal two-factor authentication codes.

In the case of Glass, the security researchers said that – despite Google’s developer policies against apps that take photos with the display off – there’s nothing in Glass’s software that prevents it from happening.

Another security researcher hacked into Glass’s root, which could allow someone who gets their hands on a Glass (via theft, say) to install any type of software, including spyware or other malware.

The potential for breaches of security and privacy means Glass users should be wary of installing any apps not approved by the MyGlass store, Google says.

Google also advises Glass Explorers (as beta testers of the yet-to-be-released product are called) that they should avoid being “creepy or rude,” among other dos and don’ts of using Glass.