Earlier today Kitguru writer Joseph McDonnell wrote about Google Glass being jailbroken and our story hit the net and was re-published on many sites across the net. Today alone we received over 100,000 hits on the article.
Joseph referenced in our article that Jason Perlow, writer for ZDNET spoke to Jay Freeman about how he exploited the device. He said “As Freeman explained to me during a phone interview, although there’s no recording indicator per se, if you are being recorded, it’s readily apparent from video activity being reflected off the wearer’s eye prism that something is going on, particularly if you are in close proximity to the person.But that can be changed once a Glass headset is rooted. Because Glass is an Android device, runs an ARM-based Linux kernel, and can run Android user space programs and custom libraries, any savvy developer can create code that modifies the default behavior in such a way that recording can occur with no display activity showing in the eye prism whatsoever.
And while the default video recording is 10 seconds, code could also be written that begins and stops recording for as long as needed with a custom gesture or head movement, or even innocuous custom voice commands like: “Boy, I’m tired” to begin, and “Boy, I need coffee” to end it.
You could write and side load an application that polls the camera and takes a still photo every 30 seconds, should you say … want to “case” and thoroughly photodocument a place of business prior to committing a crime, or even engage in corporate espionage. Or simply capture ambient audio from unsuspecting people around you.”
Jay Freeman sent Kitguru a message via our system many hours after our article was published today and we post his response verbatim below. We feel it is very important to let Jay Freeman express his views and to add to the article we published earlier.
“This article is incredibly disappointing. I am the developer who is being discussed, and while I think that what I did was interesting, I agree with all of the comments left on this article: of course it is possible to modify the software *on your own Glass* to make these kinds of dangerous-seeming changes.
The real thing that is interesting here is that, in my original article (which I can only presume Joseph McDonnell did not bother to read) I document the usage of a known (in fact, a quite old) security exploit in Android that, when combined with a design flaw in Glass (the lack of a PIN code) allows you to make surreptitious changes to not your own unit, but one owned by someone else.
The idea is that if I am given physical access to your Glass, within a minute or two I can have installed software on it which now follows you throughout your life, recording everything you do; I know where you are, I see through your eyes, I hear through your ears: the only thing I am unable to record are your thoughts.
This is a much greater attack vector and risk than with a normal Android device such as a phone or tablet, because the Glass is attached to your face, and can thereby see things that a phone normally would not get a glimpse of: it sees you enter passwords into your computer, it sees you enter PIN codes into doors and ATMs, it sees your physical keys as you use them to enter buildings, and it even can record what you write using pen and paper.
My call to Google, then, was to make certain that this device had some kind of mitigating factor, such as a PIN code or lockscreen, which they seem to have been fighting against in their designs to date. I also call them to task somewhat for releasing such an insecure device to many early adopters who are trusting them with this kind of far-reaching technology: one could imagine, for instance, that someone could be sitting inside of Robert Scoble’s hacked Glass right now .”
If you want to follow Jay you can do so on his website – over here.
Kitguru says: We would like to thank Jay Freeman for taking the time to contact us today, and we hope that our publishing of his comments add some weight to his achievements and work.