Google Glass: Let the evil commence
Summary: Glass has now been 'jailbroken' with a well-documented exploit. So what can you (or others) do with a hacked headset? Apparently, a whole lot.
I was initially interested in contacting Android and iOS hacker extraordinaire Jay Freeman (aka, "Saurik") because he had recently notified the Android development community on Twitter that he had successfully "rooted" his Google Glass headset, with the bragging rights displayed below.
Freeman has since released a lengthy account of how the exploit was accomplished, providing the bits and the procedure to repeat it, and has offered a number of warnings to the Glass community regarding just how ineffective the security on the device currently is.
I wanted to know from Freeman if, once rooted, it is possible to programmatically disable the "recording LED indicator" on the device, so that one could stealthily record without any indication to the subject that they are being captured on-camera.
As it turns out, there is no such indicator light on the "Explorer" version of Google Glass that has recently shipped to the first generation of users and developers who were lucky enough to get their hands on the headset. Duh.
Great Debate
Will Google Glass face adoption challenges due to privacy concerns?
Everyone seems to have an opinion about Google's ground-breaking product.
Still, there's room to make the device even stealthier. As Freeman explained to me during a phone interview, although there's no recording indicator per se, if you are being recorded, it's readily apparent from video activity being reflected off the wearer's eye prism that something is going on, particularly if you are in close proximity to the person.
But that can be changed once a Glass headset is rooted. Because Glass is an Android device, runs an ARM-based Linux kernel, and can run Android user space programs and custom libraries, any savvy developer can create code that modifies the default behavior in such a way that recording can occur with no display activity showing in the eye prism whatsoever.
And while the default video recording is 10 seconds, code could also be written that begins and stops recording for as long as needed with a custom gesture or head movement, or even with innocuous custom voice commands like: "Boy, I'm tired" to begin, and "Boy, I need coffee" to end it.
You could write and side load an application that polls the camera and takes a still photo every 30 seconds, should you, say, want to "case" and thoroughly photodocument a place of business prior to committing a crime. Or even engage in corporate espionage. Or simply capture ambient audio from unsuspecting people around you.
So while the 12.5GB of usable storage on this first version of Glass is fairly meager for storing HD video, it's plenty of space for storing still image JPG files and 64Kbps compressed audio. And that's not counting storage that could be accessed in the cloud in places like Dropbox, or even using a personal wi-fi connection to a smartphone with a large amount of internal memory.
The 5MP camera and the audio pickup of the current Glass Explorer Edition is fairly unspectacular. If an AOSP version of Glass's Android OS is ever published, there's certainly nothing to stop an OEM from producing a superior headset with optical zoom, a higher-resolution CMOS with superior light sensitivity, possibly even night vision, and significantly better microphones.
[Editor's note: Google has already released the specific source code bits that Glass uses that are a requirement of the company's commitment to using the GPLv2-licensed Linux kernel. However, this does not represent a full platform Open Source release of Glass's pre-loaded apps and complete run-time environment, which, like the rest of Android, would probably be licensed using Apache 2.0]
While Glass' current battery time is limited to about 5 hours of regular use and 20 minutes of run time while doing video recording, extended recording of video and audio could be accomplished through a thin USB connector wire (painted to match hair and skin color) hidden behind the neck, leading to a large external battery hidden in a coat or a vest such as, say, the $75 12000mah New Trent iCarrier that I carry with me on business trips to charge my smartphones.
Google intended the first version of Glass to look nerdy and clearly like a wearable computing device. But any number of techniques could be used to conceal the active components of the product through good industrial design and color blending, as well as through the use of prosthetics, makeup and hairstyles.
And if the existing Android OEM ecosystem is of any indication, it's a virtual certainty that we'll see Glass headsets that are licensed by third parties.
"Evil Glass" may include all the software necessary to turn a 14-year-old into a walking stealth surveillance device that would have been the envy of the Mossad or China's Ministry of State Security.
Once you have root on a Glass headset, any number of custom software packages could be installed without Google being able to prevent one from doing things that would make your hair stand on end, such as on-the-fly image and audio processing.
This is the kind of stuff that until now, only major intelligence agencies could do with very expensive surveillance equipment. Just wait until Israeli and Eastern European startups, which are staffed with former intelligence personnel who have a huge wealth of knowledge in using this kind of technology, get a hold of this thing.
There are tons of unlicensed Android phones and tablets being produced in China. Once the basic spec of Glass is available, there's nothing to stop an unscrupulous company in Asia from creating a Glass clone that's totally open without any hacking required.
And once Glass Explorer Edition's ROM makes it into the wild, all kinds of "Evil" re-spins can be produced to make the stock Glass into a Swiss Army surveillance kit for sociopaths, not just hackers.
Such an "Evil Glass" Android distribution may include all the software necessary to turn a 14-year-old into a walking stealth surveillance device that would have been the envy of the Mossad or China's Ministry of State Security only five or ten years ago.
So we know that once a headset is rooted, the wearer can do all sorts of stuff with the device that Google never intended for them to do with it, and there are Glass applications already in the mind's eye of malicious people ready to use them for nefarious purposes.
But what about stuff that isn't being perpetrated by the wearer? What if a Glass headset starts doing stuff without the wearer's knowledge?
Well, as it turns out, as Freeman so thoroughly documents and explains on his website, there's a lot of potential for that, too.
Because the current implementation of Glass has no "pin lock" like an Android phone or tablet has, the device is always active when it is turned on, and thus it would be relatively simple to inject a headset using a USB-connected device and the Android SDK with an exploit along with a malware playload that, say... snaps pictures and records audio of everything you do, and stores and forwards it over the internet to the hacker without the wearer's knowledge.
In short, if you buy a Glass device, don't let the thing out of your sight.
Will Glass be used to "do the evil" that Google has pledged it would never engage in? Talk back and let me know.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Horrors!
in another voice
Of course..
Cru
A mask?
Half the city wearing a mask? Wow.
But once the device's ROM gets into the wild... Huh?
You must work for NASA?
Go buy a micro camera pen for under $100 and tuck it behind your ear or wedge it under the side of your baseball cap along your template like a carpenter would.
Depends on the purpose...
A device that transmits in real time for offsite recording has the disadvantage of making bug detection (and jamming) easier for your "hosts" but avoids the disadvantages listed above. If you need to transmit for offsite recording, a digital device with frequency hopping and encryption would be stealthier and harder to jam.
I would expect crime shows such as NCIS to start using them as props for undercover use (fitting under wrap-around sunglasses) except for one thing: all the shows seem to have product placement contracts with either Microsoft or Apple!
That already exists too
Missing a huge peice of the puzzle.
Thats not the issue at all at all.
Im almost pulling my hair out that person after person seems to be losing all sight of what the root dynamics of concern are with Google goggles. Its getting stupid here.
The problem dosnt simply arise due to the fact they can be used to somehow “SPY” on others. People have pointed out left right and center that firstly; we are already being recorded on a regular basis around most cities without our knowledge or permission. Now people can point out all sorts of ways that people could be spied upon by even higher tech means. I certainly bet they can be.
From what Jason has said in his article, he clearly thinks the very same thing; “may include all the software necessary to turn a 14-year-old into a walking stealth surveillance device that would have been the envy of the Mossad or China's Ministry of State Security only five or 10 years ago.” Five or ten years ago? I guess there are better things about for the truly undercover other than Google goggles.
Now follow this, and try to follow it closely and then think hard. THE PROBLEM DOSNT START WITH THE FACT GOOGLE GOGGLES CAN BE USED TO SPY ON PEOPLE!!!!!!!!!!!!
The root problem has actually been spoken of most often by those who feel Google goggles will be just fine. The root problem is partly simply a side effect off the fact that Google, much like any company didn’t create this thing to only sell a few units, the hope and sometimes result of such inventions is that they sell in the millions and people everywhere will have them. And the problem gets compounded by the issue brought up by those who feel Google goggles will be just fine, and that issue is, as these apparent fans of Google goggles tell us, it wont take long and they will be everywhere, and we will simply get used to it.
And that my friends, really is the problem.
Its not just a simple issue of “Ohhhhhhh…you can spy with these these things!!!”.
It’s a matter of “WOW!!!! 40,000 people are wearing these things and Im not sure when someones recording me or they are not!!! I don’t particularly want to be recorded, and that one keeps looking at my kid and hes got those damn things on, just like everyone else!!”
That’s the problem.
hypocrisy
Also I am sure all the intelligence agencies on the planet must be shivering in their boots thinking about all the evil that will be released on the planet if someone rooted the google glass.
Ever heard of ebay just go there and just put spy in the search and press enter and I am sure there there is even a dildo with a spy camera somewhere in there. Superfail article is Superfail.
WTF?
Illegal??
Idiocy
You headed your post with the word "hypocrisy" and yet fail to mention the hypocritical part. FAIL #1.
"Isn't this the same saurik who write and runs a hacked apple store called cydia which is the base of jailbreak ing and not to mention apple calls it illegal."
Why yes this IS the same saurik that created and runs cydia - brilliant detective work, simply brilliant.../sarcasm. Oh and while APPLE may call it illegal by the laws of the US and abroad it is NOT illegal at all to jailbreak one's iPhone. Such an act voids the warranty but it is not illegal. Oh and just to be a grammar nazi jailbreaking is all one word - there is no space between the words "jailbreak" and "ing". FAILS #2, 3, and 4 on your part.
"Also I am sure all the intelligence agencies on the planet must be shivering in their boots thinking about all the evil that will be released on the planet if someone rooted the google glass. "
Actually old boy those agencies either have something similar already - someone brought up NCIS and there were several episodes where there were recording devices hidden in a pair of eye glasses - or they are salivating at the chance to get their hands on some so they can reverse engineer them and improve upon them. FAIL #5.
"Ever heard of ebay just go there and just put spy in the search and press enter and I am sure there there is even a dildo with a spy camera somewhere in there."
Why would anyone go to eBay and look for a dildo-mounted camera? What kind of sick perverted scumbag are you anyhow? I guess that would be the only way you'd see female genitalia IRL - by proxy anyhow. FAIL #6.
"Superfail article is Superfail."
No it looks like the only real super failure here is on your part. This would be FAIL #7 which would definitely qualify your post as a superfail. Thanks for playing. You lose! Good day sir!
Blep.
There are cameras all over the place anyway
The Boston Marathon guys were caught because they were on camera
Don't use your credit card in public, Tim
You're saying that with Google glasses, you would just be content with the knowledge that he wouldn't be recording you at transaction time.
And if that guy says "I'm making a call, mind YOUR own business!"
I ask because I want to know how you can tell he is recording you, instead of making a call. Since it is very unlikely you will have line of sight to his phone's screen, how do you what he is doing?
If there is no privacy, there is no crime