Hasta La Gadget!

Google has quietly patched a Glass security exploit that could have allowed hackers to take control of the wearable by showing it a QR code, the researcher who identified the flaw tells SlashGear. The exploit, discovered by Marc Rogers, Principal Security Researcher at Lookout Mobile Security, took advantage of Glass’ streamlined setup process that saw the camera automatically – and transparently to the wearer – spot QR codes in images and use them to trigger WiFi connections and other configurations. By creating malicious codes, and hiding them in images, Rogers was able to get Glass to connect to a compromised network, show details of all network traffic from the wearable, and even take full remote control.

The exploit – which we referred to in our June interview with Rogers, though without specific details as Google and Lookout were still addressing the fix at the time – has been fixed as of Glass firmware XE6, released on June 4. It’s a turnaround the Lookout researcher is impressed by, after only informing the search giant of the issue on May 16. “This responsive turnaround indicates the depth of Google’s commitment to privacy and security for this device,” he says, “and set a benchmark for how connected things should be secured going forward.”

At the root of the issue was how Google attempted to handle Glass setup, given the non-traditional input options the wearable offers. Without a keyboard, and with only voice-recognition and minimal trackpad access using the small panel on the side of the headset, the Glass team turned instead to visual setup tools.

Using QR codes – the glyphs also known as “2D barcodes” – Glass could be set configured to connect to a certain WiFi network, Bluetooth device, or something else. So as to minimize the need for the user to strum through the menus, Glass would automatically identify any QR codes in images snapped with the camera, and act on them automatically.

It’s that automation – which came with no notification to the user that codes had been spotted and acted upon – which opened up the loophole Rogers could take advantage of. By reverse-engineering Google’s QR codes, he could create a range of his own glyphs that would instruct Glass to connect to a WiFi network of his choosing. Using the software tool SSLstrip, he could then gain access to all of the network traffic from the wearable, such as messages, emails, and Hangouts calls.

Taking it one step further, by pushing Glass to a page on the wireless access point that took advantage of an Android 4.0.4 vulnerability, Rogers could then hack the headset itself and actually take control of it, even to the point of remotely turning on the camera and seeing what the wearer was looking at.

As of XE6, Google has changed the Glass software so that the camera will only identify QR codes when the user specifically triggers scanning through the settings, rather than looking for them proactively. The use of 2D barcodes for settings was seen as a first step for the technology and wearables; more everyday examples could have been automatically translating menus in foreign languages, or automatically downloading music tracks from QR codes discretely embedded in band posters.

The Lookout researcher doesn’t expect this to be the last vulnerability identified in Glass, though he also argues that it’s probably a good thing. By running through the hardware and software in limited “Explorer Edition” public trials first, he points out, by the time the consumer version arrives – expected sometime in 2014 – users will be more “able to trust Glass … because it has been tested.”

Still, it’s indicative of a largely unconsidered issue as more and more devices get not only smarter but increasingly autonomous. “When you have billions of connected devices, without UIs, how do you manage updates?” he asked, rhetorically, warning that we could see a new age of potential loopholes as ways of patching flaws lag behind functionality.

Next up, Lookout intends to pare through other connected devices in other fields – Rogers told us he’s looking at car manufacturers, environmental controls, and smartwatches – to see what exploits he can uncover. If the developers of those gadgets are looking for a good example of updating practice to follow, though, they could do worse than mimic Google, he says. Otherwise, poorly-managed security could lead to the public simply not trusting tomorrow’s gadgets.

“There’s a risk that we will get a little bit scared by new things, and there’s a risk that we could miss out on cool things [as a result]” Rogers explained, if the flaw hadn’t been spotted until the commercial model. It’s an example of how the so-called “internet of things” raises new challenges to security experts and manufacturers, he says, especially given that some of the companies developing such devices are specialized in either software or hardware, but seldom both.

Google Glass exploit hacked wearable with QR codes is written by Chris Davies & originally posted on SlashGear.
© 2005 – 2013, SlashGear. All right reserved.

Google updated the look and feel of the Google Play Store yesterday for desktop users, giving it a cleaner look that fits more in the line with the mobile version. However, the update hints at the possibility that Google Glass apps could be distributed through Google Play, and Glass owners may be able to browse the Google Play store on Glass itself.

When you go to download an app in Google Play, you can choose from a list of all your Android devices from a drop-down menu. The updated Google Play store now lists Google Glass in the drop-down menu, giving us proof that Google has at least some intention of bringing the two together at some point.

As it stands now, Glass owners have to navigate to a specific portal in the My Glass app on their Android device, which isn’t too terrible of a process, but it would be so much more convenient for Glass users to download and install apps without the leaving the comfort of that small heads-up display and touchpad on the side of their head.

Of course, the appearance of Google Glass in that drop-down menu leads to a grayed-out selection, meaning that compatibility between the two isn’t quite ready just yet, but Google may be in the process of getting it up and running.

We already know that Google Glass is getting some kind of boutique app store with Glass-specific apps, thanks to code that was discovered in the latest Glass update, but Google hasn’t addressed it publicly and they haven’t enabled it yet. This boutique method seems a little different than the simple Google Play integration, so it’s possible Google is experimenting with a few different options right now.

VIA: Android and Me

Google Play Glass Boutique support hinted in new store update is written by Craig Lloyd & originally posted on SlashGear.
© 2005 – 2013, SlashGear. All right reserved.

Current VR just can’t match our natural experiences — real life doesn’t have much lag, for example. However, Oculus has just published a pair of research posts showing the ways that it’s closing the gap between simulation and reality. Steve LaValle, Oculus’ Principal Scientist, explains how prediction minimizes the latency inherent to head tracking; coder Tom Forsyth, meanwhile, has advice on what developers can do to reduce motion sickness. Both studies dive deep, and may not be for the faint-hearted. If you’re willing to follow Oculus down the rabbit hole, however, you may learn a thing or two about VR’s future.

Filed under: Displays, Wearables

Comments

Via: Oculus Blog

Source: Oculus (1), (2)

It’s time for Sony’s second effort in the SmartWatch business, this time with a device that – once again – comes out well before any comparable efforts in wearable industry take shape. This device is appearing this week with Clove, an international web-based spot for sales of such devices, with the company suggesting they’ll have the machine in-stock starting on the 15th of July. This device is also suggested – and remember, this is all preliminary – to be coming in at just 120 pounds in England.

With this machine essentially standing alone in the market as both a smartwatch that can act as its own self-contained device and as an Android-based mini-screen still supported in a major way by its creator, the pricing may surprise you. Sony’s SmartWatch 2 is said by Clove to be well under two bills – that’s right around $180 in USD. With a launch date at July 15th, it’s also surprising that this machine hasn’t been added to any other store stock anywhere else, either.

This device is bringing on a display that’s 1.6-inches large with 220 x 176 pixels to its name, bringing along Bluetooth 3.0 and NFC for wireless connectivity. This device can indeed act on its own, but pairing with a smartphone for internet will allow you to get updates for items like email and Facebook messaging.

Pairing with the Sony SmartWatch 2 will be a tap away with Android devices using NFC on their own and Android 4.0 Ice Cream Sandwich or above – and it’ll all pair with your smartphone for notifications straight from it, too, if you like.

This device has been called out as an early strike against Apple’s so-called iWatch, a device whose trademark has been filed for in several countries across the planet in the past couple of weeks. Sony has, on the other hand – of course – already released their first SmartWatch which was also joined in the market by Motorola’s own MOTOACTV sports watch in 2011. So it’s not as if this is anything new.

VIA: Geekygadgets; Clove

Sony SmartWatch 2 hits Clove early with July launch date is written by Chris Burns & originally posted on SlashGear.
© 2005 – 2013, SlashGear. All right reserved.

Google’s recent XE7 update for its Glass Explorer Edition already shows signs of an unactivated locking system for the wearable, as well as a “Boutique” app store and media player. The official changes in XE7 include a web browser – which you can see demonstrated after the cut – using physical head movements to navigate pages, along with boosts to search, contacts, and other features. However, some digging through the update itself has revealed a number of much-anticipated extras that Google hasn’t mentioned publicly.

Zhuowei worked his way through the code, and found a number of dormant or work-in-progress features. Most topical, perhaps is the provision for locking Glass, an absent feature which has meant that, so far, anybody stealing the wearable off your head (or from your bag) can instantly gain access to whatever data it has saved on its roughly 8GB of onboard storage.

Google’s system for dealing with that appears to be coding Glass with a swiping lock with four components. The lock screen code suggests wearers would flick between each of the four lock IDs with swipes up and down on the side touchpad, then set each pattern with swipes left and right.

We’ve seen a similar approach from non-official Glass locking app Bulletproof. That also included the proviso to only turn on the lock if the wearable’s motion sensors showed that it had been removed – either taken off and put down to recharge, perhaps, or pulled off in a theft – rather than demanding an unlock every time the user wanted to activate it.

Google Glass XE7 wearable web browser demo:

Google had already confirmed it was working on a lock system for Glass, as part of the company’s response to a US congressional committee concerned about privacy and security. For the moment, though, Google suggests those who lose their Glass can remotely reset it from the web interface.

However, it’s not the only change spotted in the XE7 code. There’s evidence of the Glass Boutique, what appears to be a version of the Android Market for Glassware apps for the wearable. Not yet usable in XE7 – there’s mention of the Boutique, but not the actual code for it – it appears that the store will allow synchronization to Glass of Glassware and native APKs, which also implies native app support is also on the cards.

That would mean another way of running software on the wearable beyond the existing Mirror API, which basically acts as a conduit between Glass and web-based software. Google currently has Glass locked down, with the only way to install local software being an unofficial hack. Instead, the Mirror API works as a route for Glassware to communicate with the headset – as Google explained using cats back at I/O – while keeping local processing (and thus battery consumption) to a relative minimum.

Other new features center on multimedia. There’s a new set of cards mentioned – though, again, not the code for the actual functionality – for a music player, with the usual play/pause/next/previous skipping support, and album/artist information on-screen; a video player also gets a terse mention, though there’s even less detail around it. Functional already, though (even if it requires a little modification in order to activate it) is a volume control, adding a new option to the Settings that allows adjusting the volume of Glass’ bone-conduction speaker.

The remaining changes are either minor, mysterious, or both. A new, red microphone icon has been added, along with a package installer – not yet functional – that looks like it might eventually permit downloaded APKs to be loaded onto the headset. The ability to only see timeline cards from a specific contact is also hinted at, though again doesn’t yet work; there’s also what appears to be a version of the new contact list – which now includes all of your Gmail contacts rather than just ten as Glass originally supported at launch – that can be navigated by head movements, just as with the new browser.

When Google might go live with any of these newly-spotted features – if, indeed, they ever graduate to public functionality – remains to be seen. However, it’s a sign that Glass is slowly progressing from a wearables novelty to a more legitimate mobile platform in its own right.

Glass Boutique app store, MP3 player, Lock-screen & more revealed is written by Chris Davies & originally posted on SlashGear.
© 2005 – 2013, SlashGear. All right reserved.