As a Google Explorer, Anthony Pettenon wears his enthusiasm for technology on his face.
A member of Google’s program to expose its always-on Glass devices to the real world, the sophomore at the University of Tampa in Florida regularly wears the devices to class and out around the city. People are not worried about being around an always-on device, while the convenience and connectedness of the device is just cool, Pettenon says.
“It is cooler because you are wearing technology, rather than holding it,” Pettenon said. “Things are a lot faster—you can instantly take a picture or video and upload it right away.”
Yet those same benefits also make the devices more of a privacy and security risk for people and organizations. Google Glass is one of the more well-known examples of the Internet of Things, devices that keep people connected to the Internet as they move about their daily lives. While the increased convenience has sold many people, such as Pettenon, on the benefits of sustained connectivity, technologists and security researchers are warning that there could be serious security and privacy implications.
At the Black Hat security conference in July, for example, security researcher Brendan O’Connor showed off an inexpensive system of wireless sensors and analysis algorithms that could allow anyone to track the movements of a large number of people around a city by listening for signals from their mobile devices.
Dubbed CreepyDOL, the system highlights how much information people leak into the digital world just by walking around with a smartphone or tablet. When smartphones search for a wireless access point they send out enough information to be tracked, while a variety of popular applications send out even more personal data without encryption.
“We are leaking too much data for random reasons,” O’Connor told attendees.
Many of the users of such technology do not realize how much information they are broadcasting. For Pettenon, for example, there is little difference from the always-on Google Glass device and today’s ever-present smartphones, despite the fact that he is sending out far more photos, video and other data on every aspect of his life.
“I don’t think the privacy concerns are that great because there are other devices out there that you can do the same exact thing,” Pettenon said.
Connected devices, such as Google Glass, will only make the problem worse unless steps are taken to prevent leakage. Users still do not recognize that they are carrying around what essentially is a mobile sensor suite.
Google Glass Security, Privacy Worries Complicate Wide Adoption
Google Glass and other technologies take that even further by making it easier for the devices to gather data and help the user, said Jerry Irvine, CIO for Chicago-based IT consultancy Prescient Solutions.
A person wearing a Google Glass device could easily take pictures of sensitive data—say, a boardroom whiteboard—without drawing as much attention to themselves as someone who pulled out a mobile phone or camera, he said.
“These are the same technologies that we have in mobile phones, but because it’s being worn and you are not drawing attention to yourself as you use it, it is a bigger risk,” he said.
In addition, there are no technologies that allow users to manage the security of the devices or allow third parties to ban the devices use in certain circumstances, Irvine added. “Organizations are going to have to define what they are going to allow. Whether people can come into their facilities with these devices,” he said.
While the privacy and information-security aspects of Google Glass and other devices add new problems for enterprise security teams, wearers of the devices must also worry about having such a personal device compromised by malicious hackers.
In a recent example of the possibilities, mobile-security firm Lookout showed off an attack where a malicious quick-response, or QR, code that could redirect the data from Google Glass through a compromised access point. QR codes are the modern version of bar codes that allow data to be scanned by mobile devices. Google Glass extensively uses QR codes to configure the device. The devices were vulnerable because they would essentially allow any QR code to be used to send information to the device, said Marc Rogers, principal security researcher at Lookout.
“The user never sees anything at all,” he said. “Glass connects the user to the access point using the QR code and starts sending all of its traffic through that new access point. At that point, if you control the access point, you control the connection.”
Such attacks, while easily remedied, should cause technologists and early adopters to pause and consider the implications of increasing the ability for digital threats to impact a user. By giving individuals a larger footprint in cyberspace, the Internet of Things opens them to more attacks, Rogers said.
“As we become increasingly reliant on these devices, as they become more intimately integrated into our lives, we have to take them more seriously from a security perspective,” he said. We must take them “even more seriously than our PCs, because these things have a role in our life 24/7.”