Google Glass spyware lets snoopers “see through wearer’s eyes”

Spyware which stealthily takes photographs using Google Glass’s built-in camera and uploads them to a remote server without the user being aware has been demonstrated successfully on the eyepiece – despite Google’s policies explicitly forbidding programs which disable the screen while the camera is in use.

The spyware was designed by two California Polytechnic students, Mike Lady and Kim Paterson, who disguised their program as a note-taking app (albeit with a name that offers a clue to its actual function, Malnotes), and successfully loaded the app, which takes a photo every ten seconds and uploads it to the internet, according to Ars Technica’s report.

Google’s policies forbid programs which take pictures when its wearable Glass eyepieces are turned off – but there is nothing to stop users doing so, Forbes reported.

“The scary thing for us is that while it’s a policy that you can’t turn off the display when you use the camera, there’s nothing that actually prevents you from doing it,” Paterson told Forbes’ Andy Greenberg.

“As someone who owns Glass and wants to install more apps, I’d feel a lot better if it were simply impossible to do that. Policies don’t really protect us.”

The pair were able to upload Malnotes successfully to Google’s Play store, but were unable to sneak the app into the curated MyGlass store for Google Glass, Ars reports. Paterson noted that many Glass apps are currently “sideloaded” – ie not installed via official stores, but installed using developer tools in debug mode – as Glass is still in prototype.

“A lot of Glass developers are just hosting their apps from sites just to let other people try it. It’s sort of a wild-wild west atmosphere since very few apps are being released through the MyGlass store,” Paterson told Forbes. Paterson warned that if a user left Glass unattended, it would be easy to install such software without the wearer even being aware of its presence.

Google’s Glass eyepieces remain a hot topic for privacy advocates. Speaking to Business Insider, Daen de Leon, a software engineer, says that 13 bars and restaurants in San Francisco have an explicit “no Glass” policy, as well as others in Seattle, and Oakland, California.

After an incident where a Google Glass wearer was allegedly assaulted in a bar in Lower Haight for wearing the eyepieces, de Leon spoke to regulars and says that he, “”found her assumption that, as a complete stranger, she could enter a bar and just start recording regular customers without their permission quite disturbing.”

Author , We Live Security

  • Kim Paterson

    Hi, I’m Kim mentioned in this article. I wanted to make a correction that we did not even attempt to submit the app to the MyGlass store because the review process for MyGlass is much more stringent at this time and our app was just a proof-of-concept. Additionally, we didn’t upload the images to the Internet, we uploaded them to our secure server where only we have access to them. Thanks!

    • Stevo8800 .

      You must have lots of free time on your hands? lol People like you make me laugh every day about your privacy concerns. How many images did you get? How did you having access to these image change anyones life? Let me answer them for you because it’s simple. Besides you wasting bandwith and server space, nothing else has changed or happen here. Let’s do some simple math. Lets say we have 1 million Glass users. Taking a picture every 10 seconds, thats 6 pictures per minute per user. 6 million pictures per minutes, 1440 minutes in a day. 8640 million pictures per days. Man if you can go through that many pics in one day, you’re some kind of machine. Plus if you where recording video, it would take even longer to watch all them videos(probably your entire lifetime) well the video would probably be very low quality to begin with. On top of all this you would need some powerful hardware to pull video feed + images from all Glass users every day of the week, not to mention your internet bill each month. Damn your plan sounds logical. Keep on spying my friends if it makes you happy I guess. Someone who does the above either has money to waste and too much free time. I could use Facebook’s Graph API right now and pull millions of users pictures and photos.

      • Vicki

        Well, I’m Glad Steveo8800 finds this amusing. I certainly don’t and if they can take as many pictures as he is calculating then they have software to isolate and categorize every photo they take. Privacy just doesn’t seem to matter to most anyone anymore. What is happening to our autonomy is this world?

        • Jammer

          yes but imagine getting an app on the google plays tore for an android phone that would then sweep the area of the phone to find any google glass’s and then inject the app from the phone to the glass’s. You wouldn’t need it to be uploaded to the app store. Just create some other app that is genuine (Fart app or something) with malicious intent (It lays dormant).

Follow us

Copyright © 2017 ESET, All Rights Reserved.