Google Glass: Let the evil commence

Google Glass: Let the evil commence

Summary: Glass has now been 'jailbroken' with a well-documented exploit. So what can you (or others) do with a hacked headset? Apparently, a whole lot.

SHARE:

I was initially interested in contacting Android and iOS hacker extraordinaire Jay Freeman (aka, "Saurik") because he had recently notified the Android development community on Twitter that he had successfully "rooted" his Google Glass headset, with the bragging rights displayed below.

glassbroke-tb
(Image: Jay Freeman)

Freeman has since released a lengthy account of how the exploit was accomplished, providing the bits and the procedure to repeat it, and has offered a number of warnings to the Glass community regarding just how ineffective the security on the device currently is.

I wanted to know from Freeman if, once rooted, it is possible to programmatically disable the "recording LED indicator" on the device, so that one could stealthily record without any indication to the subject that they are being captured on-camera.

As it turns out, there is no such indicator light on the "Explorer" version of Google Glass that has recently shipped to the first generation of users and developers who were lucky enough to get their hands on the headset. Duh.

Great Debate

Will Google Glass face adoption challenges due to privacy concerns?

Will Google Glass face adoption challenges due to privacy concerns?

Everyone seems to have an opinion about Google's ground-breaking product.

Still, there's room to make the device even stealthier. As Freeman explained to me during a phone interview, although there's no recording indicator per se, if you are being recorded, it's readily apparent from video activity being reflected off the wearer's eye prism that something is going on, particularly if you are in close proximity to the person.

But that can be changed once a Glass headset is rooted. Because Glass is an Android device, runs an ARM-based Linux kernel, and can run Android user space programs and custom libraries, any savvy developer can create code that modifies the default behavior in such a way that recording can occur with no display activity showing in the eye prism whatsoever.

And while the default video recording is 10 seconds, code could also be written that begins and stops recording for as long as needed with a custom gesture or head movement, or even with innocuous custom voice commands like: "Boy, I'm tired" to begin, and "Boy, I need coffee" to end it.

You could write and side load an application that polls the camera and takes a still photo every 30 seconds, should you, say, want to "case" and thoroughly photodocument a place of business prior to committing a crime. Or even engage in corporate espionage. Or simply capture ambient audio from unsuspecting people around you.

So while the 12.5GB of usable storage on this first version of Glass is fairly meager for storing HD video, it's plenty of space for storing still image JPG files and 64Kbps compressed audio. And that's not counting storage that could be accessed in the cloud in places like Dropbox, or even using a personal wi-fi connection to a smartphone with a large amount of internal memory.

The 5MP camera and the audio pickup of the current Glass Explorer Edition is fairly unspectacular. If an AOSP version of Glass's Android OS is ever published, there's certainly nothing to stop an OEM from producing a superior headset with optical zoom, a higher-resolution CMOS with superior light sensitivity, possibly even night vision, and significantly better microphones.

[Editor's note: Google has already released the specific source code bits that Glass uses that are a requirement of the company's commitment to using the GPLv2-licensed Linux kernel. However, this does not represent a full platform Open Source release of Glass's pre-loaded apps and complete run-time environment, which, like the rest of Android, would probably be licensed using Apache 2.0]

While Glass' current battery time is limited to about 5 hours of regular use and 20 minutes of run time while doing video recording, extended recording of video and audio could be accomplished through a thin USB connector wire (painted to match hair and skin color) hidden behind the neck, leading to a large external battery hidden in a coat or a vest such as, say, the $75 12000mah New Trent iCarrier that I carry with me on business trips to charge my smartphones.

Google intended the first version of Glass to look nerdy and clearly like a wearable computing device. But any number of techniques could be used to conceal the active components of the product through good industrial design and color blending, as well as through the use of prosthetics, makeup and hairstyles.

And if the existing Android OEM ecosystem is of any indication, it's a virtual certainty that we'll see Glass headsets that are licensed by third parties.

"Evil Glass" may include all the software necessary to turn a 14-year-old into a walking stealth surveillance device that would have been the envy of the Mossad or China's Ministry of State Security.

Once you have root on a Glass headset, any number of custom software packages could be installed without Google being able to prevent one from doing things that would make your hair stand on end, such as on-the-fly image and audio processing.

This is the kind of stuff that until now, only major intelligence agencies could do with very expensive surveillance equipment. Just wait until Israeli and Eastern European startups, which are staffed with former intelligence personnel who have a huge wealth of knowledge in using this kind of technology, get a hold of this thing.

There are tons of unlicensed Android phones and tablets being produced in China. Once the basic spec of Glass is available, there's nothing to stop an unscrupulous company in Asia from creating a Glass clone that's totally open without any hacking required.

And once Glass Explorer Edition's ROM makes it into the wild, all kinds of "Evil" re-spins can be produced to make the stock Glass into a Swiss Army surveillance kit for sociopaths, not just hackers.

Such an "Evil Glass" Android distribution may include all the software necessary to turn a 14-year-old into a walking stealth surveillance device that would have been the envy of the Mossad or China's Ministry of State Security only five or ten years ago.

So we know that once a headset is rooted, the wearer can do all sorts of stuff with the device that Google never intended for them to do with it, and there are Glass applications already in the mind's eye of malicious people ready to use them for nefarious purposes.

But what about stuff that isn't being perpetrated by the wearer? What if a Glass headset starts doing stuff without the wearer's knowledge?

Well, as it turns out, as Freeman so thoroughly documents and explains on his website, there's a lot of potential for that, too.

Because the current implementation of Glass has no "pin lock" like an Android phone or tablet has, the device is always active when it is turned on, and thus it would be relatively simple to inject a headset using a USB-connected device and the Android SDK with an exploit along with a malware playload that, say... snaps pictures and records audio of everything you do, and stores and forwards it over the internet to the hacker without the wearer's knowledge.

In short, if you buy a Glass device, don't let the thing out of your sight.

Will Glass be used to "do the evil" that Google has pledged it would never engage in? Talk back and let me know.

Topics: Google, Android, Emerging Tech, Hardware, Security

About

Jason Perlow, Sr. Technology Editor at ZDNet, is a technologist with over two decades of experience integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. Jason is currently a Partner Technology Strategist with Microsoft Corp. His expressed views do not necessarily represent those of his employer.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

129 comments
Log in or register to join the discussion
  • Horrors!

    Users programming their own devices contrary to the wishes of their manufacturers! What a nightmare!
    John L. Ries
    • in another voice

      I read this as "yakov smirnoff" (or Dr. Nick). Got a chuckle then made an account just to tell you that. You are a gentleman and a scholar I now bid you adieu.
      tre_digga
    • Of course..

      He has to paint the worst possible scenario of how such a device could be used. He works for Microsoft. The idea that someone might reload the OS with the invasive features disabled would never be explored because the masters of Redmond would not approve. (Can't allow people to think there is anything good about OSS.)
      revspaminator
      • Typical Microsoft

        I'm pretty sure the bombers in Boston used Windows computers to do their bomb making research. Clearly (using Perlow's logic) Microsoft is responsible for the evil that was done in Boston.

        Just because an evil person can twist technology to evil uses does not make technology bad.

        Microsoft's horrid security of Windows is responsible for hundreds of billions in costs world wide each year - that is certainly much more evil than someone taking naughty pictures.
        NixRocks
      • It doesn't matter

        This tech is coming. Even if Google stops all work on it, it's still coming. We as a society need to adapt.
        StevenAbaby
    • the fraud of Android

      Yes, heaven forbid that we run the applications we want on OUR computing hardware.

      Android, the great "open-source" OS that was going to free us from Apple- and telco-style tyranny, has proven to be a fraud. Why are we "jailbreaking" an open-source OS?
      Oscar Goldman
      • It's not like it's hard to root Android...

        ...or that Google does anything to prevent it.
        John L. Ries
        • Next article: Google Glass infected infections on the rise.

          They have done it before. Now, Trojan malware from their previous article on how easy it is to root the Android phones isn't mentioned, but the new article somehow blames Google and the devices as suffering from malware infections. What a country.

          The article is just sick.
          Joe.Smetona
    • Shhh...don't tell Sony...

      They might sue you.
      DonRupertBitByte
  • Cru

    I don't know about buying a glass, but I've definitely been considering buying a mask recently.
    Shrug
    • A mask?

      One guy wearing a mask...hmmm.

      Half the city wearing a mask? Wow.
      Cayble
  • But once the device's ROM gets into the wild... Huh?

    There's already nothing stopping an oem from producing a superior headset with better av. They could do it tomorrow with any os they like and yeah they almost certainly wouldnt make them as dorky looking as googles. And I'm not granting that dorky was intentional on googles part. Or the dorky card app metaphor. Wouldnt have to be saddled with that etiher.
    Johnny Vegas
  • You must work for NASA?

    You've found a way to over-complicate covert audio and video recording while quadrupling the price.
    Go buy a micro camera pen for under $100 and tuck it behind your ear or wedge it under the side of your baseball cap along your template like a carpenter would.
    FulSpecs
    • Depends on the purpose...

      A recording pen with no real-time transmission would have the advantage of no signal for bug scanners to detect, but the disadvantages of limited storage space, losing ALL the data if the pen is destroyed before you leave (IF you leave), and no alert for your co-workers (if you are a Fed) or accomplices (if you are a bad guy) to rescue you or avenge your death if you are caught with the recording device.

      A device that transmits in real time for offsite recording has the disadvantage of making bug detection (and jamming) easier for your "hosts" but avoids the disadvantages listed above. If you need to transmit for offsite recording, a digital device with frequency hopping and encryption would be stealthier and harder to jam.

      I would expect crime shows such as NCIS to start using them as props for undercover use (fitting under wrap-around sunglasses) except for one thing: all the shows seem to have product placement contracts with either Microsoft or Apple!
      jallan32
      • That already exists too

        Why do you think there are no devices that record and transmit in real time already? Maybe not for under a hundred bucks, but there is really nothing new about stealth recording by bad guys (and law enforcement guys). For the author to suggest it is the fault of Google Glass that more illicit taping could result from it's widespread use is like blaming Ford for increasing automobile accidents.
        cac1031
      • bug detection

        The only way for this thing to transmit is through your phone, I think, which means any "bug detection" measures would also be set off by everyone's cell phone.
        Oscar Goldman
    • Missing a huge peice of the puzzle.

      The idea with Google goggles isnt that one person will buy Google goggles and then secretly spy with them.

      Thats not the issue at all at all.

      Im almost pulling my hair out that person after person seems to be losing all sight of what the root dynamics of concern are with Google goggles. Its getting stupid here.

      The problem dosnt simply arise due to the fact they can be used to somehow “SPY” on others. People have pointed out left right and center that firstly; we are already being recorded on a regular basis around most cities without our knowledge or permission. Now people can point out all sorts of ways that people could be spied upon by even higher tech means. I certainly bet they can be.

      From what Jason has said in his article, he clearly thinks the very same thing; “may include all the software necessary to turn a 14-year-old into a walking stealth surveillance device that would have been the envy of the Mossad or China's Ministry of State Security only five or 10 years ago.” Five or ten years ago? I guess there are better things about for the truly undercover other than Google goggles.

      Now follow this, and try to follow it closely and then think hard. THE PROBLEM DOSNT START WITH THE FACT GOOGLE GOGGLES CAN BE USED TO SPY ON PEOPLE!!!!!!!!!!!!

      The root problem has actually been spoken of most often by those who feel Google goggles will be just fine. The root problem is partly simply a side effect off the fact that Google, much like any company didn’t create this thing to only sell a few units, the hope and sometimes result of such inventions is that they sell in the millions and people everywhere will have them. And the problem gets compounded by the issue brought up by those who feel Google goggles will be just fine, and that issue is, as these apparent fans of Google goggles tell us, it wont take long and they will be everywhere, and we will simply get used to it.

      And that my friends, really is the problem.

      Its not just a simple issue of “Ohhhhhhh…you can spy with these these things!!!”.

      It’s a matter of “WOW!!!! 40,000 people are wearing these things and Im not sure when someones recording me or they are not!!! I don’t particularly want to be recorded, and that one keeps looking at my kid and hes got those damn things on, just like everyone else!!”

      That’s the problem.
      Cayble
      • Not Google goggles

        Google Glass is the subject here. Google Goggles is a different Google product.
        spatters71
      • The singularity is coming

        I suggest you get your kids to a third world country soon cuz 40,000 people are already recording there every movement on a regular basis. Facebook is using facial recognition to find them in random photos. And their online activities are being tracked by everyone!
        Look I worry as much about privacy as anyone else, I don't use things like Facebook or Google+ or Twitter cuz they're too invasive (and while I really don't see the point of them, others do). Also I'm no fool, I don't need to be a profit to be able to tell you that technology is going to continue to integrate more and more into our daily lives. And where it binds us in a new way it also frees us in a new way as well. Those "advancements" that hinder more than they help typically don't survive in a free market, thus I'm perfectly willing to give them a chance and see how it advances our civilization.
        You on the other hand seem to be afraid of change and anything that might improve you or those around you. But you may be able to find some remote areas of Peru or maybe out at sea where you'll be able to protect your family from the impending Borg onslaught.
        Good luck, and remember it'll be up to you to repopulate the earth once we're all gone.
        FulSpecs
        • Oh my god. Here we go again.

          This really is disturbing. Its like talking to brick walls. Its like a scene out of a movie where character #1 describes an issue to character #2 who has been missing the point, and right after the detailed description that clearly states the nature of the problem, character #2 continues on as if the conversation had never taken place.

          This is just bizarre.

          Are there really that many people with fried brains they don’t get the actual nature and source of the problem??

          Lets try, one more time. Lets start with what the real problem IS NOT.

          Is the real problem Google goggles are going to provide something quite similar to the fact we are already giving away our privacy by way of entities like Facebook and the internet in general?

          No, no how no way. Anyone who thinks so has no foresight and a stark inability to distinguish one set of facts and circumstances from another. When one uses Facebook, they are the ones who in the end who are deciding to risk their privacy by using these various entities. They also decide what exact photos they will put online. People in the photos, if they posed for a friend or family member at the very least decided to pose for the friend or family member. If you put a photo on Facebook or a friend of family member put it on Facebook for example, for that matter, if any one person put it on Facebook, you can usually know pretty rapidly who put the photo up there. There can be remedies sought because of that. In situations that are truly analogous to this kind of thing, its quite different then the REAL issue with Google goggles and privacy. There is more personal choice, there is more ease and simplicity of accountability, there are numerous differences that make the situation VERY DIFFERENT.

          What about the hundreds or even thousands of security cameras already buried into the infrastructure of a city? Different again. The images captured are not for publication and are captured by entities you could identify by apparent location if some image of you suddenly turned up without your permission someplace it wasn’t supposed to be. The entities that own the security cameras also recognize they have some vested interest in not becoming the subject of legal matters by way of misuse of the images, and they control the images and so even if a security camera, for example catches you slipping on a banana peel its not likely at all to show up on Youtube. While these things could happen, due to built in accountability and the typical cross purposes of the entity that’s using the security cameras, we generally have little to fear about them producing and posting publicly accessible embarrassing video or photos of us. Again, because of accountability, this is a VERY DIFFERENT situation.

          Is this the same problem as cameras existing in smartphones? Well, much closer, but still not exactly. The difference on one hand is simple, but creates a different enough dynamic that takes it well out of the realm Google goggles will exist in. The difference is that smartphones do have so many purposes that photography and video capture are but one out of dozens of potential uses. People do not generally walk around the streets with their smartphones pointing camera forward with the owner either already taking snapshots as they go, or at least their finger on the button ready to go. The vast majority of smartphone photos are never taken that way for obvious reasons. Just plainly, walking about the city for hours with your smartphone out and pointing around for photos at the drop of a dime would be an awkward and bizarre thing to do all day. It’s a plainly different situation with smartphones. Not to mention, anyone taking photos from a smatphone or even an SLR camera can usually be quickly identified and if one feels like it take whatever action the please to avoid being in a picture they don’t want to be in.

          The problem that will arise with Google goggles is brand new. Nothing quite like it exists anyplace in the world today. The problem arises not simply because it will be possible for Google goggle owners to take photos or video with them, the problem will arise due to the fact that the Google goggles will be in a position where they are in place ready to take photos or video at the drop of a dime and may well already be doing so at the time you first notice a person is wearing them. The state or readiness to do so is their normal state. They are where they are on your face to optimize this feature. Now once you multiply this kind of device, perhaps by tens of thousands on the streets, suddenly you find yourself in a circumstance where largely unaccountable strangers are wondering about by the thousands with cameras pointed and ready to go, some already going, taking video and photos that can pretty much instantly sent to the net, and what will make it worse is that people are saying there is likely so much of this to be going on, we will just have to accept it as normal. In other words, why ever should you be suspicious of someone wandering about snapping off all kinds and sorts of pictures and video of things where if you seen it going on today, you would at least rightly ask yourself; I wonder what they are up to?

          Now a days, if Mr. X is following you around with his smartphone facing toward you and looks like hes snapping off endless photos or video of you with your kid, it will catch your attention, alert you to potential issues. But we are now being told, once Google goggles come along, “just accept it”, everyone will be doing it. And you may find yourself milling about with many dozen such people a day in any number of different situations in the future according to what seems to be the idea.

          Im all for the future. Its in forums like this that its clear how a complete lack of knowledge about the person you are berating could be so far off from the truth about them. I am the most technologically advanced person I am aware of in all the circles I typically travel in. Im not telling anyone that I think we should just shut down the future by any means. Im just telling you as a fact, Google goggles are not like anything else, and people should not find themselves at all shocked when the 80%+ of the public that is “Joe Average” wakes up to understand what Google goggles really are will not like the idea of the streets crawling with thousands of people wearing headsets that are potentially capturing any or every moment of your outdoor life.

          The notion that Joe Average will simply say “that just fine by me” is crazy. Ive already spoken to numerous people about this, and I can tell you buddy, that plenty will not like it.

          I don’t fear change. The funny thing is, for decades now, Ive been one of the bunch pushing to usher in the change. Im just saying, this change will not be received so simply as many think.
          Cayble