Tag Archives: Google Glass

Google Glass?QR ???????????? Wi-Fi ??????????????

QR(クイックレスポンス)コードの悪用そのものは、目新しい発想ではありません。昨年、QR コードに埋め込まれた悪質な USSD コードによって、Android スマートフォンの人気機種でデータが消去される恐れがあると判明したケースを覚えている方もいらっしゃるでしょう。QR コードは何年も前から使われていますが、モバイル端末で読み取った場合、そのデータがどうなるのかユーザーにはまったくわかりません。

シマンテックは、QR コードによる悪質なサイトへの自動リダイレクトを防ぐために、ノートン スナップというアプリケーションを作成しました。リンク先アドレスにリダイレクトされる前に、その URL がスキャンされます。すでに、ユーザーから毎日数千件の URL ルックアップ要求が届いています。先月は、総数のうち悪質な URL が占める比率は 0.03% にすぎなかったため、まだ大きなリスクとは見なされていません。しかし、スナック自動販売機の QR コードが乗っ取られ、スナックの料金が別の場所に支払われてしまうというケースがすでに発生しています。

 

1 - Google Glass QR codes.png

図. Google Glass と QR コード
 

見てはいけない

Google Glass は現在特に注目を集めているテクノロジのひとつであり、シマンテックの研究室でも調査目的で多くの Google Glass 端末を手に入れました。Google Glass と QR コードの関係について言えば、QR コードを使って設定は簡単になります。何といっても目を使ってテキストを入力するというのはかなり難しいでしょう。セキュリティ企業の Lookout 社が、悪質な QR コードを使って Google Glass を操作できる方法を分析しました。ウェアラブルデバイスは、ユーザーとのインターフェースがこれまでと異なるという性質上、新しい攻撃経路になる可能性があります。Lookout 社によると、QR コードを撮影すると、Google Glass は悪質な恐れのある Wi-Fi アクセスポイントに知らないうちに接続する可能性があります。こうなると、フォトボム(photo-bombing。撮影者の意図に反した被写体が映り込むことを指す俗語)という言葉がまったく新しい意味を持ってきます。Google Glass は一般的な QR コードをすべてサポートしているわけではなく、デバイスの優先 Wi-Fi アクセスポイントの再設定に利用しています。

Google Glass が悪質なアクセスポイントに接続すると、攻撃者はトラフィックをすべて盗聴し、場合によってはユーザーを悪質な Web サイトにリダイレクトします。幸い、Google 社もこの問題を認識しており、すでに修正済みなので、Google Glass で写真を撮るとき、いちいち QR コードを避ける必要はなくなりました。

 

デバイスを制御する方法は QR コードに限らない……

Google Glass が QR コードによってフォトボムを受ける可能性には注意が必要ですが、モバイルデバイスを悪質な Wi-Fi アクセスポイントに接続させるには、もっと簡単な方法もあります。今では、ほとんどの人がスマートフォンの Wi-Fi 機能を常時オンにしています (Google Glass もです)。つまり、デバイスは接続できる既知のアクセスポイントがないかどうか、周囲の環境を常に調べているわけです。新たに登場したウェアラブルデバイスもインターネット接続を簡単にするために同じように動作すると予測されますが、デバイスが検索するネットワークを簡単な方法で偽装できるソフトウェアも出回っています。WiFi Pineapple という小型デバイスを買えば、必要な操作をすべて自動的に実行してくれます。たとえば、自分のスマートフォンが「myPrivateWiFi」という SSID 名の自宅の Wi-fi ネットワークに常に接続する設定になっているとします。このスマートフォンを持っていった近所のコーヒーショップに、攻撃者が悪質な WiFi Pineapple を取り付けていれば、攻撃者が仕掛けた WiFi Pineapple はスマートフォンが myPrivateWiFi を検索したときに、単にプローブ要求に応えるだけで myPrivateWiFi ネットワークになりすますことができ、その時点から、セッション乗っ取りや盗聴といった典型的な中間者(MITM)攻撃が実行可能になります。この種の攻撃は QR コードを認識しないデバイスでも実行できます。したがって、Google 社が QR フォトボムに対するパッチを公開しても、Wi-Fi 乗っ取りに対する Google Glass の脆弱性は依然として残ることになります。

残念ながら、Google Glass の Wi-Fi 乗っ取りは、すぐに解決できるほど小さな問題ではありません。Wi-Fi ホットスポットを使うたびにデバイスをペアリングするという手間をかけず、すぐに使えるスムーズなユーザーエクスペリエンスが望まれているからです。よく使うアクセスポイントの MAC アドレスと SSID の併用が有効な場合もありますが、ローミングが関係してくると実用的ではなくなりますし、MAC アドレスも WiFi Pineapple で簡単に詐称できてしまいます。

それより現実的な Wi-Fi 乗っ取りの解決策は、ネットワークはどこでも危険なものという前提に立って、すべてのアプリケーションで SSL などの暗号化通信、または VPN 経由のトンネルを使うことです。こうすれば、現在地についても、接続先についても気にする必要はなくなり、安心して日光浴を楽しむことができます。

 

* QR コードは (株)デンソーウェーブの登録商標です。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Google Glass Still Vulnerable To WiFi Hijacking Despite QR Photobombing Patch

Malicious quick response (QR) codes are not a new idea. Some readers might remember last year when it was found that a popular Android smartphone could be wiped by a malicious USSD code embedded within a QR code. QR codes have been in use for many years now but when scanning them with a mobile phone the user can never tell where they will end up.

To protect against automated redirection to malicious sites with QR codes, Symantec created the Norton Snap application which scans any URL before the user is redirected to the destination address. Currently we get a few thousand URL lookup requests each day from our users. During the last month only 0.03 percent of those URLs were malicious. Hence it’s not yet considered a huge risk, but we have already seen cases where QR codes for snack vending machines where replaced, so that the paid for snacks gets released at a different location.
 

1 - Google Glass QR codes.png

Figure. Google Glass and QR codes
 

Don’t look now

Google Glass is one of the hottest pieces of technologies out that at the moment and we’ve got our hands on a number of them for research purposes in our labs. As far as the relationship between Glass and QR code goes, it provides an easy way of using QR codes to configure them; after all it would be quite difficult to enter text using your eyes. Our colleagues at Lookout analyzed how Google Glass can be manipulated using malicious QR codes. Wearable devices by their nature can open up new attack vectors because the user interacts with them differently. Lookout have stated when taking a photo of a QR code, Glass will silently connect to a potentially malicious WiFi access point. This gives the word photo-bombing a whole new meaning. Glass doesn’t support all general QR codes, but uses them for reconfiguring of the device’s preferred WiFi access point.

Once the Google Glass connects to the access point of the attacker, the attacker can sniff all the traffic or even redirects the user to a malicious website. Fortunately, Google is aware of this issue and have already fixed it so you don’t have to keep looking away from QR codes whilst taking pictures with the device.
 

QR code is not the only way to PWN a device…

So, while Glass’ ability to get QR photo-bombed was interesting, there are far easier ways to get a mobile device connected to a rogue WiFi access point. Many people leave WiFi enabled the whole time on their smartphones. This means the device constantly probes the surroundings to see if there is a known access point that it can connect to. Similar behavior is expected in new wearable devices to make it easier for them to interact with. There is software available that will impersonate any network that a device searches for and this software is quite easy to use. You can even buy a small device called WiFi Pineapple that will do all the work for you. For example if your smartphone remembers your home network with the SSID name “myPrivateWiFi”. The attacker will simply answer the probe request and pretend to be the network “myPrivateWiFi”. From that point on classic man-in-the-middle (MITM) attacks, like session hijacking or sniffing, can be performed. Hence it is easier to get a wearable device like Google Glass or a smartphone to connect to a rogue access point this way as no accidental recognition of a QR code is necessary. Further, even with Google’s patch for QR photo-bombing, Glass remains vulnerable to WiFi hijacking.

Unfortunately, this latter issue is not trivial to solve. Users want to have a smooth user experience that just works without the hassle of pairing the devices each time they use a WiFi hotspot. Remembering the MAC addresses of the access points together with the SSID could help in some instances, but that is not feasible in the context of roaming and MAC addresses can easily be spoofed as well.

The more practicable solution is to treat every network as hostile and ensure that all the applications use encrypted communications like SSL or tunnel through a VPN. That way you don’t have to worry about where you are or what you are looking at, but instead you can relax and enjoy the sunshine.

Google Glass and Tomorrow’s Security Concerns

If you haven’t heard, Google Glass, the latest gadget from the Silicon Valley giant, has set the media and tech world abuzz, with both admiration and controversy surrounding the device. Google Glass was released to the public last week and combines smartphone technology with wearable glasses that is reminiscent of something seen on Star Trek. Public, in this case, actually means beta testers (called Glass Explorers) who had to apply for the chance to purchase the spectacles in advance by writing a 50 word essay using the hashtag, #ifihadglass. Those chosen had the opportunity to purchase the device for $1,500 USD.

Along with the admiration of a device that appears to do everything, comes controversy.  The 8,000 individuals who were able to purchase the device were bound to a restrictive end user license agreement, in which the product would be deactivated and rendered useless if sold, loaned, or transferred to a third party. This was discovered after one winner decided to put his glasses on EBay and was contacted by Google. However, it appears there were no restrictions against modifying or rooting the device other than the loss of warranty and technical support.

Recently, James Freeman, a security researcher from the United States blogged about his acquisition of Google Glass from Google’s headquarters in Mountain View, California. His blog post set the press and Google scrambling after he posted a picture showing that he had rooted the device. Freeman wasn’t part of the Glass Explorer beta test, he simply had the privilege of purchasing the device as an attendee of Google I/O in 2012. His main motivation in purchasing Google Glass was device customization.  In order to make customize the device, he had to “jailbreak” or “root” it.

The foundation of Google Glass is Android 4.04. As with any operating system, there are publicly known vulnerabilities and exploits. In this case, the author analyzed an unnamed exploit which relies on a symlink traversal and a race condition to see if he could apply it to Glass. To gain full root access, Freeman realized he needed to open the Debug menu on Glass. The Debug menu is typically locked on smartphones and requires a PIN to access it, but this was not the case with Google Glass. Freeman discovered that the Debug menu on Glass was not locked down and allowed for easy access to the device:

“Even if you wear Glass constantly, you are unlikely to either sleep or shower while wearing it; most people, of course, probably will not wear it constantly: it is likely to be left alone for long periods of time. If you leave it somewhere where someone else can get it, it is easy to put the device into Debug Mode using the Settings panel and then use adb access to launch into a security exploit to get root.

The person doing this does not even need to be left alone with the device: it would not be difficult to use another Android device in your pocket to launch the attack (rather than a full computer). A USB “On-The-Go” cable could connect from your pocket under your shirt to your right sleeve. With only some momentary sleight-of-hand, one could “try on” your Glass, and install malicious software in the process.”

Although the vulnerability in Google Glass allows for anyone with malicious intent to install malware to their heart’s desires, it does require physical access to the device. As those in the security community know, while this vulnerability is a definite flaw security wise, if you can have physical access to a device, it is not completely secure. This is why Linux distributions have a single user mode for forgotten or lost root passwords. If you have physical access to the device or computer, it can be considered insecure.

Wearable devices will give malware authors another avenue to exploit, as evidenced by their transition from desktops to mobile devices. Enterprising and creative malware authors will always try to find a way to exploit a vulnerability in anything, and it will only be a matter of time before it happens.

In theory, Glass or any device that can be worn and used to record at the same time can have security implications. We might not be far away from clever ways for these devices to be used against us. For example, privacy risks such as being recorded inconspicuously wherever you are and theft possibilities, such as having your ATM PIN recorded. These problems just scratch the surface—the list of security concerns might be endless.

Wearable Technology: Utterly Fantastic or the Next Privacy Fiasco?

You’ve felt it. That tiny nagging of a feeling making you doubt for a second whether or not you should post what you’re doing on Twitter, share that picture of your new car (including the license plate, shall I mention) on Facebook, or tag your location in an Instagram photo. But that’s just the beginning! Read more…