A security flaw in Google Glass saw it hacked and taken over remotely using only a QR code.

Google GLass Hacked by QR Code
A QR code is seen on goods for sale during the launch of a temporary "pop-up" Christmas shop run by online giant eBay on Dean Street in Soho, central London November 29, 2011. (Credit: Reuters)

The flaw, which as far as is known was never exploited in the wild, was discovered by security researchers who were able to take over control of Google's wearable technology remotely.

Mobile security company Lookout has discovered a security flaw in the way Google Glass analyses image data it captures through the camera mounted next to the screen. It has found that QR codes can be used to connect to Wi-Fi networks or Bluetooth devices without user's knowledge with photos and video also being uploaded unknowingly.

The problems comes about because of the way Google Glass uses Optical Character Recognition (OCR) technology. OCR allows computers to read text from images and Glass uses it to help easily configure the device.

For example, if you wanted to connect to a password protected Wi-Fi network, scanning a QR code is much easier than trying to input a password character-by-character through Glass' interface. Therefore every photo Glass takes is automatically scanned for readable text, such as QR codes.

Hostile Wi-Fi

This was discovered by the team at Lookout who created a malicious QR code which, when scanned by Google Glass, forced Glass to connect silently to a "hostile" Wi-Fi access point that Lookout controlled.

That access point in turn allowed them to spy on the connections Glass made, from web requests to images uploaded to the cloud. Finally, it also allowed them to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability that hacked Glass as it browsed the page.

Lookout discovered the security flaw over two months ago, on 16 May and immediately drew Google's attention to the possible security risk. Google logged the problem with the Glass team and in the XE6 software update, released on 4 June, they fixed the problem.

Following Lookout's recommendations Google has now limited QR code execution to only times when it is explicitly asked for by the user. Lookout also praised Google's reaction to the issue being revealed:

"Google demonstrated a first-class vulnerability management process that identified, fixed and updated the devices quickly, efficiently and silently," it said in a statement.