Research

The world at your fingertips… and theirs too

Technology has changed our lives, the way we live and work. With the emergence of wearables, the convergence between the virtual and the physical world makes people feel more natural using technology all the time.Google Glass is one of the most amazing wearable devices and although it is still at an early stage of development, it is undeniable that you can do awesome things and experience the world in a different way with them.

Google_Glass_1

With out-the-box functionality, you can search the internet, take pictures or videos, check mail, send messages to Hangouts contacts, or publish information to Google+. What truly excites us are foreseeable uses in fields like medicine or education. The device could become indispensable by helping surgeons check patient vital signs or video broadcasting their surgeries to other specialists. Similarly, we can foresee novel means of transmitting knowledge to students in interactive ways. Perhaps we can even imagine enhancements to law enforcement by enabling immediate recognition of wanted criminals.

Google_Glass_2

Google_Glass_3

Unfortunately, the emergence of new technologies also entails new security risks. There are in fact many concerns about potential risks to privacy and ways in which these new devices could be compromised. Cybercriminals don’t rest and are always looking for new ways to obtain gains from their victims, whenever they see an opportunity they will work day and night to achieve this objective.

New Technologies, Old Risks.

Google_Glass_4

New and existing devices have many things in common: they use the same protocols and are interconnected with other devices using similar applications. There is no way around this. Traditional attack vectors are mainly against the network layer in the form of Man-in-The-Middle (MiTM), the exploitation of some vulnerability in the operating system, or the applications themselves. Being based on Android, Glass could inherit known vulnerabilities found in other devices with the same OS.

There are two ways to surf the Web from Google Glass: through Bluetooth pairing to a mobile device that shares its data network connection, or directly through Wi-Fi with prior configuration of the network via a MyGlass account or mobile app generated QR code.

Google_Glass_5

Google_Glass_6

The procedure to add a network is pretty simple: by adding a network name and password a QR code is generated containing connection settings which when looked at through Glass establishes an automatic connection to the network.

Google_Glass_7

Last year, a vulnerability was published by the Security firm Lookout related to this procedure that would mislead a user to connect to a fake access point through a malicious QR thus allowing a potential attacker to hijack network communications and possibly redirect navigation to a malicious web page that could exploit a known Android web vulnerability. This vulnerability was patched but gave us a clear sense that attackers could discover ways to compromise these new devices.

A source of potential risks is that unlike a computer or a mobile device, the Glass interface is navigated through ‘cards’ to scroll through the different applications and settings thus limiting configuration options and in some cases automating certain procedures and functions with little input from the user, as in the case of connecting to a network or sharing information. This automation opens the door for exploitation by attackers and the compromise of user privacy.

Another threat avenue is the propensity for users to activate ‘debug mode’ in order to install applications outside of the official glassware ecosystem thus raising the risk of installing malicious applications.

This opens the possibility of new attacks using old methods such as social engineering through the use of the magic words: “free” and “sex”. Although not all apps advertised this way are malicious, the terms stand as a hook for users in search of new experiences, willing to step out of the comfort zone pre-arranged by the manufacturer.

Google_Glass_8

One simple test

As mentioned earlier, a feature distinguishing Glass from other wearables is the ability to navigate the internet directly via a Wi-Fi connection, rather than exclusively piggybacking off of a paired mobile device. However, this ability also means that the device is exposed to network vectors attacks, particularly MiTM.

Imagine this scenario, you are at your favorite coffee shop and decide to connect to the Wi-Fi network using Glass. You set up the network and are off to check-in on Foursquare, launch an app to recognize the song playing in the background and fetch the lyrics. But what if in this network someone is using a tool to poison the other devices into redirecting traffic towards a router IP address thus capturing all of the network traffic?

We tested by doing just that in a controlled laboratory network. Once the network was compromised, we did some searches on google, standard site browsing, sent pictures and messages to some of our contacts, and even read the news.

Google_Glass_9

Once we captured enough traffic to analyze, we found that almost all the traffic remains encrypted after the network was compromised, specially the google searches. However, we found enough information in plain text to correlate and piece together the user’s navigation to airlines, hotels, and touristic destination sites and how and where the device was connected. Nothing too sensitive but in some cases useful for when carrying out a profiling job.

In the end, as with any other device, security must be visualized in layers and we need to protect every layer to reduce the risk of compromise. In this case, the network layer could be exposed since the device can connect to public networks but lacks the option for VPN connections thus insuring traffic can be captured and analyzed.

In coming months, we’ll see wearable devices becoming the next attack targets, highlighting the need to pay special attention to these devices, their capabilities, and the information they handle.

You can also follow me on twitter @r0bertmart1nez

The world at your fingertips… and theirs too

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox