Google Glass Jailbreaker Warns Of Security Failures

A man who rooted a Google Glass device using an old Android exploit has warned of the potentially serious security flaws already resident in the wearable device.

Google Glass has been handed to eager developers before general release later this year, in the hope they will start creating exciting apps,  known as Glassware. But one, Jay Freeman, chose to show how malicious actors could take advantage of some security shortcomings in Glass to spy on users.

How to hack Google Glass

If Freeman had waited until Google had released the full code for Glass, as it did on the weekend, he could have carried out a typical jailbreak, unlocking the Android bootloader known as fastboot. “Having access to an unlocked bootloader is the be-all-and-end-all of power,” he wrote in a blog post on hacking Google Glass.

But his jailbreak did not use that method. Indeed, he kept bootloader locked and didn’t build a kernel to root the device, largely because Google had not released adequate information on the device, nor the source code for the OS, as companies using Linux kernels are required to do.

Instead, Freeman chose to run an existing exploit for Android 4.0, which was disclosed last September, having been developed by a hacker going by the name of Bin4ry. “Universal exploits that work on every device running particular versions of Android have been surprisingly common,” Freeman wrote.

By connecting a Glass device to a PC via USB, using the Debug Mode, and the Android debugging tool (adb), he found a way of tricking the system during a backup process.

He had to drop a symlink, a symbolic link that refers computers to certain files when carrying out processes, while the restore process was taking place. This “race condition” sees a battle between the entered symlink and the restore process to be initiated first. To help the symlink win, the jailbreaker just has to make the backup very large.

This symlink can then be used to overwrite data to make the operating system believe it is running not on real hardware, but on the emulator Google provides developers to test their apps.

“To make this work, we need to find a package that both allows its data to be restored from a backup (packages can opt out) as well as is owned by root (so that the backup is extracted as root, which is required in order to write to /data/local.prop). On most Android devices, the Settings application fits the bill. On Glass, there is no Settings, but we got lucky: the Glass Logging service satisfies both criteria.”

The next step is to install a customised operating system, completing the full jailbreak.

Security failings

There are two reasons this was concerning from a security perspective. First was how quick and easy it was to carry out a non-standard jailbreak. “This exploit is simple enough that you can pull it off with just a couple files, and without any specialised tooling.”

The second issue is that gaining access to Glass is much easier than accessing an Android phone, as it has no screenlock.

If jailbreaking a device is so simple, those who leave their Glass device alone for a brief period could have it hacked and surveillance software loaded onto it, much in the same way TechWeek reported on with iPhones last year.

Given Google has now given away the Glass code, jailbreaking is now much easier than taking the Freeman way too, only making the threat even more real.

“All [hackers] need to do is modify your device to automatically upload all of your contacts to a server the next time you pick it up and start using it. They can even leave software that allows them to remotely access it at any time, getting your location or even taking pictures,” he added.

“Even if you wear Glass constantly, you are unlikely to either sleep or shower while wearing it; most people, of course, probably will not wear it constantly: it is likely to be left alone for long periods of time. If you leave it somewhere where someone else can get it, it is easy to put the device into Debug Mode using the Settings panel and then use adb access to launch into a security exploit to get root.

“Once the attacker has root on your Glass, they have much more power than if they had access to your phone or even your computer: they have control over a camera and a microphone that are attached to your head.

“A bugged Glass doesn’t just watch your every move: it watches everything you are looking at (intentionally or furtively) and hears everything you do.”

Google had not responded to a request for comment at the time of publication.

What do you know about Internet security? Find out with our quiz!