It didn't take long but the high profile Google Glass has already been jailbroken. Infamous Android and iOS hacker Jay Freeman (otherwise known as Saurik) has told the community that he has ‘rooted' his Google Glass headset.
He shared a picture online showing his jailbroken device. Additionally he published a detailed online report of how the exploit was achieved. This means other people can copy the procedure to jailbreak theirs if they want. He also highlighted how poor the security on the device is.
ZDNET writer Jason Perlow spoke to Freeman and said ” As Freeman explained to me during a phone interview, although there's no recording indicator per se, if you are being recorded, it's readily apparent from video activity being reflected off the wearer's eye prism that something is going on, particularly if you are in close proximity to the person.
But that can be changed once a Glass headset is rooted. Because Glass is an Android device, runs an ARM-based Linux kernel, and can run Android user space programs and custom libraries, any savvy developer can create code that modifies the default behavior in such a way that recording can occur with no display activity showing in the eye prism whatsoever.
And while the default video recording is 10 seconds, code could also be written that begins and stops recording for as long as needed with a custom gesture or head movement, or even innocuous custom voice commands like: “Boy, I'm tired” to begin, and “Boy, I need coffee” to end it.
You could write and side load an application that polls the camera and takes a still photo every 30 seconds, should you say … want to “case” and thoroughly photodocument a place of business prior to committing a crime, or even engage in corporate espionage. Or simply capture ambient audio from unsuspecting people around you.”
Jay did say in his own piece ‘As an example, in an article published by Ars Technica, the situation had gotten so confused by such statements from Google employees (which included comments like “Yes, Glass is hackable. Duh.”) that Ars ended up reporting that “there's been some debate over whether developers actually gained root access to the devices or simply took advantage of a ‘fastboot OEM unlock' that Google itself provided”.
As long as engineers, advocates, and officers from Google make statements like these without carefully looking into the facts first, it will not be possible to have any kind of reasonable and informed discussion about this system. The doors that Google is attempting to open with Glass are simply too large, and the effects too wide-reaching, for these kinds of off-the-cuff statements to be allowed to dominate the discussion.”
It really is worth checking out the original article here as Jay details how he got root access and how the exploit works, in detail.
EDIT: 2nd May 00.02 GMT- Jay Freeman spoke to Kitguru today and we have published a new article on the subject, over here.
Kitguru says: What lies in future for the Google Glass device?
Where is the news? Google already released the sourcecode and said it was never even mentioned to be secure. Users have paid 1500$ to get it. Google wouldn’T lock it up. And all this “new” espionage is old already. You can get a bug and cams much cheaper and invisble. Not this obvious camera on the nose.
Stop using the term Jailbroken. There’s no jail to break out of. Google glass is a hackers paradise by design. It doesn’t even have to be unlocked like android smartphones.
Whoever “hacked” this is a moron for claiming anything special.
Title should read “ordinary person makes some useless code for an open source proect”.
Look at the fanboys getting riled up already. Google Glass is an amazing device. It is a shame that the software can be hacked so easily. I’m sure Google will improve on it.
How exactly does one do this covertly when they are wearing the damn things? You are assuming that this is happening in a time when google glass is as common as regular glasses. They aren’t even selling these things to the public yet…if that day ever comes don’t you think it’s possible they would have …..you know…fixed security concerns like this by then.
Jail broken is the appropriate term. Linux uses jails to prevent access to the kernel. If you don’t understand the terminology or technology. Stfu.
NEWS:
Someone did something with software that was intended by design. Those sneaky “hackers”. Google if anything would only work to make this easier than it currently is.
they didnt lose time
Absolutely stupid to “Case” a joint with a huge thing sticking out of your face. To “Case”, use any of a bazillion ‘pen’ cameras, or even just a regular smartphone, in your shirt pocket. MUCH more subtle.
Reporter is a sensationalist idiot.
What amazing journalism!
“Not to bring anybody down … but seriously … we intentionally left the device unlocked so you guys could hack it and do crazy fun shit with it. I mean, FFS, you paid $1,500 for it … go to town on it. Show me something cool,” Stephen Lau, Google Developer.
Google hasn’t said if all Glass devices will be unlocked, but these expensive developer devices are. The hack was an attack on Android 4.0.x. I’m pretty sure the production units will at least have the latest version of Android. And with the source code provided now (or soon), there’s no reason to use this exploit, since you can use fastboot to boot a custom OS. Unlocked Fastboot is made available by Google on these devices.
@Alex jailbreaking is for iOS devices, rooting is for Android, as you are gaining access to full root control. iOS keeps you in a jail, this the jailbreaking, or breaking out of the Apple jail.
While Linux uses a “jail” that is not the term used for unlocking full access to an Android device. STFU yourself.
http://indaba.us/i6qA please vote for me in this remix contest for a scholarship!! 🙂 it takes 2 seconds, its my only chance to go to school
This article is incredibly disappointing. I am the developer who is being discussed, and while I think that what I did was interesting, I agree with all of the comments left on this article: of course it is possible to modify the software *on your own Glass* to make these kinds of dangerous-seeming changes.
The real thing that is interesting here is that, in my original article (which I can only presume Joseph McDonnell did not bother to read) I document the usage of a known (in fact, a quite old) security exploit in Android that, when combined with a design flaw in Glass (the lack of a PIN code) allows you to make surreptitious changes to not your own unit, but one owned by someone else.
The idea is that if I am given physical access to your Glass, within a minute or two I can have installed software on it which now follows you throughout your life, recording everything you do; I know where you are, I see through your eyes, I hear through your ears: the only thing I am unable to record are your thoughts.
This is a much greater attack vector and risk than with a normal Android device such as a phone or tablet, because the Glass is attached to your face, and can thereby see things that a phone normally would not get a glimpse of: it sees you enter passwords into your computer, it sees you enter PIN codes into doors and ATMs, it sees your physical keys as you use them to enter buildings, and it even can record what you write using pen and paper.
My call to Google, then, was to make certain that this device had some kind of mitigating factor, such as a PIN code or lockscreen, which they seem to have been fighting against in their designs to date. I also call them to task somewhat for releasing such an insecure device to many early adopters who are trusting them with this kind of far-reaching technology: one could imagine, for instance, that someone could be sitting inside of Robert Scoble’s hacked Glass right now :(.
It will just be expected that people leave there google glasses at the door/in their pockets the same way that you can’t take your camera or sometimes mobile phones into sensitive areas. Not a big deal.