Google Glass Launches
Before Google Glass became available in 2013 through the invite only “Google Explorer” program, the device had already been celebrated by some as the dawn of a new computing age and derided by others as an expensive play toy for the rich. Privacy minded groups wondered out loud if society was ready for the implications of ubiquitous Glass style headsets but despite receiving a great deal of attention, the device failed to gain widespread adoption. As a result, it was seldom encountered by individuals or groups interested in the security and privacy implications of the device.
"What does it do?"
The experience of using the device was novel enough that Google described the device’s beta testers as “Explorers”. The moniker proved apt and early adopters described a feeling of participating in a larger experiment, one designed to determine how (or if) there was a place in society for such a device. Despite the technological accomplishment that Glass represented, wearers were attempting to answer a more basic question as to what role the device could play, something that never became obvious for some. Regardless of whether Google Glass returns in a recognizable form, the device signaled another step in the now decade old trend of better connected, smaller, and increasingly more powerful mobile devices.
Unanswered Questions
Although there have been academic debates surrounding the implications of ubiquitous wearable computing, there have been few public investigations into Google Glass or other current devices from a security or privacy perspective. In the interest of validating whether concerns about security or privacy were supported by current implemented technology, we looked more closely at Google Glass. In particular, we were interested in whether wearable computing introduces a new set of risks and threats or whether it is more appropriate to associate the device with existing threat models for mobile phones or tablets.
While attempting to answer these questions, Glass proved different enough from traditional Android devices that a number of workarounds were required in order to configure the device for testing.
- Because of the lack of a traditional screen, many applications designed for testing are unusable. This includes tools to proxy device traffic, modify and add certificates to the device’s trust store, or manipulate the device’s file system.
- The device firmware includes few common command line tools necessary for testing, requiring them to be cross compiled for the device.
- The lack of an official emulator necessitates testing on actual Glass hardware which was prohibitively expensive when available to the public.
- Glass makes heavy use of multiple wireless network stacks associated with both physical and virtual network devices. (e.g. WIFI, Bluetooth, VPN’s, loopback, etc)
- The transition from Eclipse (w/ Android SDK) to Android Studio for Glass App development rendered many of the existing Glass tutorials, forum threads, and help articles on the Internet outdated.
Future Testing
While configuring the device, we were unable to find a comprehensive repository of information containing all of the steps needed to configure Google Glass in a way which would facilitate security testing. In the interests of making this process easier for others, we compiled relevant instructions, along with references to additional resources. This resulting document is intended to serve as a resource for future security engineers, developers, or anyone else wishing to examine the security posture of Google Glass. Although the content is focused on Glass in particular, it should also be applicable to any non-traditional Android lacking a screen or app-store. If you have additions or feedback regarding the document, feel free to contact us.