The most surprising thing about this article is that Google did not see this coming. This attack vector is a very basic one considering the device, and QR codes have had security problems before. On the other hand the product is still in testing to catch issues just like this. We can hope that the final product is much more secure.

Is it just me or is the concept of QR codes fundamentally flawed and ripe for abuse? Basically any QR code that exists can be overwritten by a simple sticker of another QR code. How do you prevent this?

Fundamentally at some point there has to be some trust. Equally you could slap your own RFID tag over someone elses (perhaps inducing a high enough voltage to kill theirs first).

We already have issues with bank card scanners placed on ATMs. I don't think we've really solved the problem beyond user awareness and frequent monitoring.

The honor system, mostly. The same could be said for price tags, bar codes, license plates, etc...

But those all have specific use cases. QR codes on the other hand are meant to be universal. Imagine the QR codes in a museum all replaced with links to porn sites (two different uses - one is for information and another is for advertising).

For QR codes generated on the fly on another screen, that is obviously impossible. For QR codes on posters, I think the effort required to actually go about making stickers far outweighs any potential gain from hijacking a QR code.

Have you ever seen how many stickers for .com's still exist on post signs today? Imagine for every QR code for a movie poster someone slaps a link to their band's website. This would scale a lot better than their band's name with the .com, it would be cheaper to make, just as costly to distribute, less obtrusive, create more attention, and be way more deceptive.

Very much 'Snow Crash'.

Very David Langford.

"Because of Glass's limited user interface, Google set up the device's camera to automatically process any QR code in a photograph."

...set up the device's [$foo] to automatically process any [$bar] code...

What could go wrong?

Pwned? Really?

It's a corruption of "owned" and refers to a hack that gives the hacker total control of the target device. HTH!

The corruption originated in gaming, specifically Warcraft modding I believe. Regardless of how it originated or is used it's still rather trashy in a headline.

There's no way to say that pwned originated in gaming. It may have been popularized by gaming, but hackers have been describing things as owned and for a long time. The "typo" is regarded as leetspeak and isn't really trashy because it's more descriptive than owned itself.

really. http://pwnies.com/ too.

I've gotten normal usage of Glass-cast, as they call it, to work only 1 times in 10 anyway, heh. The feature is a distaster. You take a picture of the barcode over and over and have no feedback whatsoever what the problem is behind it not working.

Are you trying the screencast with a device that's already been BT paired & connected to your Glass?

I never see the barcode option, it just connects straight to my device immediately. I think you only end up with the barcode if you're not connected or having connectivity issues.

Google posted an update yesterday to the MyGlass app that supposedly improves connectivity, so maybe that might solve the trouble you'd been having.

>Thankfully, Google has already patched the issue.

It sounds like they are on top of it.

remind me again why you have skeptic in your name?