It didn’t take long, it never does, but Google Glass has been rooted. It seems that the process was started by Liam McLoughlin (@Hexxeh) who claimed that root access should be easy as Google Glass supports ADB access in a debug mode – an equivalent of the typical Android “Enable USB Debugging” option. However Jay Freeman (@saurik) pointed out this Debug mode doesn’t lead to easy root access as a compatible kernel image is needed. Eventually Freeman managed to exploit the Google Glass kernel using a symbolic link race condition that is present in all releases of Android 4.0.x.
Freeman, who is better known for his work on Jailbreaking iPhones and for Cydia, the alternative App store for Jailbroken iPhones, has posted a tutorial on how to jailbreak Google Glass but he has also written about the security challenges and privacy issues that exist when a wearable computing device can be hacked.
The problem is that Google Glass hears and sees everything you do. In a worse case scenario a hacked version of Google Glass can store and transmit everything you see and hear to a malicious third party. This includes passwords, PIN numbers, bank cards, bank accounts, door codes and even everything you write on bits of paper.
Although this was always true of smartphones, in that malware could be installed that took pictures and recorded audio, people tend to keep their phones in their pockets or on a shelf. Even if a smartphone was bugged, I don’t hold it up to the screen while I am using the ATM! But wearable computers are different. Even if a user remembers to remove Google Glass when using the ATM there are going to be hundreds of moments throughout the day where a remote malicious third party can benefit from private information that can be captured on a compromised device. Imagine what you could discover if you were able to root and install surveillance software on Sergey Brin’s Google Glass headset!
But how easy is it to comprise someone’s Google Glass headset?
Too easy. If you like conspiracy theories then it isn’t hard for you to imagine someone surreptitiously rooting your Google Glass while you sleep. But it doesn’t need to be that clandestine, even a work colleague or a so-called friend could access your Google Glass while you are distracted and install malware. At the moment root access was achieved using a PC via the USB cable, but achieving root by connecting Google Glass to another mobile device should be possible.
A USB 'On-The-Go' cable could connect from your pocket under your shirt to your right sleeve. With only some momentary sleight-of-hand, one could 'try on' your Glass, and install malicious software in the process.
Google Glass’ biggest security issue today seems to be the lack of a lock screen. As soon as Google Glass is picked up it can be accessed without any authentication. In general, most of Android’s security vulnerabilities can’t be exploited if the device has a PIN code set, however Google Glass does not have any kind of PIN mechanism. Freeman suggests that Google’s first priority should be to add some kind of protection to Glass that activates when it is taken off.