A security flaw in an early version of Google's new Internet-connected glasses could allow hackers to control the device remotely and use its camera to "watch your every move," according to one developer.
In a blog post this week, software developer Jay Freeman said he found a way for hackers to install malicious software on Google Glass to conduct surveillance on its users. Freeman was one of the early Glass adopters selected by Google to test the device before its release to the general public next year.
Glass, a head-mounted computer that rests on the user's face like a pair of eyeglasses, can take photos, translate phrases and offer directions via a small glass cube suspended over the wearer's right eye. Freeman said hackers can compromise the headset by using a known vulnerability in Google's Android software, granting them even greater access to users' privacy than if they had bypassed security on a phone or computer.
"They have control over a camera and a microphone that are attached to your head," he said. "A bugged Glass doesn't just watch your every move: it watches everything you are looking at ... and hears everything you do. The only thing it doesn't know are your thoughts."
Freeman said the current version of Glass also lacks a PIN code to lock the device, allowing a hacker to physically install malware on the headset in order to then, for example, watch what users type and see their passwords.
Such a scenario could be particularly embarrassing if a user wore Glass in private, Freeman added. Earlier this week, for example, one early Glass adopter demonstrated how he could wear the headset in the shower.
"Nothing is safe once your Glass has been hacked," Freeman said.
Charlie Miller, a member of Twitter's security team who is well-known for hacking iPhones and other Apple products, said Freeman's findings are plausible. But he said a weakness in Glass would be difficult for a hacker to exploit since it would require a Glass user to leave the device unattended for several minutes while the hacker installed the malware.
"This particular vulnerability required physical access to the Glass device so doesn't represent much of a risk to most users of the product," Miller told The Huffington Post.
Google says Glass is still a work in progress. Responding to Freeman's findings, the company said in a statement the early edition of Glass "is not a consumer product" and is "intended for developers to play with, hack and even build great apps for."
Google also has created a website called MyGlass that allows Glass owners to change the content they see on the device or to wipe data from the headset if it's ever lost, stolen or hacked.
"We recognize the importance of building device-specific protections, and we’re experimenting with solutions as we work to make Glass more broadly available," a Google spokesman wrote in an email.