Google Glass launch raises questions on wearable security
Google Glass is now available in the UK for £1,000, but will the data-gathering wearable computing device face roadblocks because of privacy and security concerns?
Google Glass launch raises questions on wearable security
Google Glass is the first in a wave of wearable technology devices that has the potential to change how people interact and search the web.
First launched to the general public in the US in May, Google Glass looks somewhat like futuristic designer spectacles. The device has a prism-based translucent screen mounted above the right-eye with a camera to take pictures (5MP) or videos (at 720p), and the optical head-mounted display presents a high-definition display the equivalent of a 25-inch screen from eight feet away.
The camera can be controlled by using voice commands or gesture recognition, and users can bring up text messages, emails, map directions and weather on the screen.
Glass relies on a Bluetooth 4 LE connectivity to sync with a nearby smartphone but does also connect to the internet via Wi-Fi 802.11b/g. It is powered by a version of Google's Android mobile operating system, can run specialised “Glassware” Android apps and has a battery life quoted at one day – or 45 minutes of continuous video recording.
But the clamour for Glass has been met with considerable concern over porous security and privacy. The wearable device doesn't have any sort of authentication – password, pin or biometrics - resulting in numerous muggings in the US, and a debate in on-going on the right to privacy when people are unknowingly being filmed.
In addition, questions are being asked on potentially porous application security and if web traffic is encrypted.
Up until now, Google Glass has also been available to early adopters in the US, but today the search-giant's “beta” programme was extended to the UK, where Glass can now be purchased for £1,000. Buyers must be over 18 years old and have a UK credit card and address. Although expensive, research outfit IDC expects Glass and other wearables to drop to approximately £150 by 2018.
Sean Newman, security strategist at Sourcefire – now part of Cisco, said that users should be aware of the security risks associated with internet-connected devices, like Google Glass.
“As we connect ourselves more and more to the internet it's important to be mindful of the risks and implications of new devices like Google Glasses,” he said in an email. “There's a huge question of what the security implications of connecting these kinds of devices to the corporate infrastructure will be. For the IT team that is already defending their organisations from ever more sophisticated cyber criminals, wearable technology is just another attack vector that needs addressing.
Speaking to SCMagazineUK.com, 451 Research's analyst for enterprise security, Javvad Malik, agreed that the tide of support is ‘strong' for the Internet of Things and warned that security issues will arise if Google and other suppliers don't take security precautions seriously.
“We can look at this from two angles – one is the security of the wearables themselves. Will all manufacturers build in enough security to protect your glasses, watch or wristband data from being accessed, modified or stolen? We'll probably see a whole new set of attack vectors ranging from the CEO who was kidnapped because his fitness tracker told the attackers all of his movements and times for the last six months. Or maybe we'll see cameras being compromised to capture and send videos or images from Google Glass type devices – in a way similar to how we've seen laptop and desktop webcams get compromised.”
He added: “The second part is how you protect against people using wearable tech to bypass your security controls. It used to be easy to confiscate a mobile from someone at the door to the data centre… but as technology gets smaller and more integrated, how do you cope? When your watch or glasses can take photos or make phone calls – you can render a whole bunch of DLP controls ineffective.”
Sarb Sembi, director at consultancy Storm Guidance and a prominent member at ISACA UK, compared the emergence of Google Glass to that of the iPad in enterprises back in 2010, where hoards of iOS devices were brought into work without authorisation.
He urges companies to think ahead and adopt internal privacy policies, so that would-be users know when and where wearable devices can and can't be used.
But he anticipates that the trend won't take-off until apps - of which there are only five available in the UK at present - become ‘useful' and in the hands of executives.
“Usefulness is going to be the driver. Consumerisation is going to take over any logic an organisation has,” Sembhi told SC UK. “It's not about security, it's about getting it out there.”
Like Malik, Sembhi details the possibility that Google Glass could be stolen from an executive office and used to steal data, or even as part of a bigger ID theft attack.
“I think one thing that is important to look at is the mobile security in the business model behind the product. For Google, that's advertising and local,” said Sembhi, who added that companies like these will add ‘as few controls as possible' to increase usability.
“Security is not the driver to getting pervasiveness,” he said.
Google Glass has already been used by some businesses, with Virgin Atlantic check-in crew at London Heathrow airport running a successful trial earlier in the year.
Glass has been found to have security vulnerabilities in the past. Undergraduate researchers from the California Polytechnic San Luis Obispo built a spyware proof of concept and found that it was able to bypass the Google Play store.
Mike Lady and Kim Paterson built what was believed to be first spyware proof-of-concept for Glass. When installed, the ‘Malnotes' app directed Glass to take a picture every ten seconds and upload images to a remote Google server – without the user's knowledge as the app only worked when the device's display was off.
The researchers put the app on Google Play rather than MyGlass, the common route for Glass applications, because the latter continues to be manually checked by the search giant for suspicious applications.
Many applications also come from developers' personal websites, and side-loading apps is a concern when Glass is attached to a PC via USB and placed into "debug" mode.
This isn't the only security instance for Glass since its emergence as a prototype. Researchers at Lookout Security found that Glass would scan a QR code instructing it to connect to a malicious Wi-Fi access point, and some months later Symantec discovered that Glass would regularly look for networks that they have connected to before. In this case, hackers could borrow a network's SSD (service set identifier), using a device like Wi-Fi Pineapple, to spy on data traffic and carry out a man-in-the-middle (MiTM) attacks.