Google Glass Poses Threats for the Enterprise

By Samuel Greengard

Google Glass has garnered plenty of hype and hoopla over the last couple of years. Now that the product is available in beta, there’s a growing recognition that it presents a serious security risk within the enterprise.

“Unlike a cell phone, the device can be used in discreet ways to capture sensitive data,” says Jerry Irvine, CIO of IT outsourcing firm Prescient Solutions and a member of the National Cyber Security Partnership, a joint initiative of the Department of Homeland Security and the U.S. Chamber of Commerce. “People can record and photograph things without anyone around them being aware of what they are doing.”

It’s no small matter. Events recorded on Google Glass are automatically stored in a user’s Google+ account. “The photographic images, conversations and other data are accessible at any point in the future,” Irvine points out.

What’s more, the device currently lacks password or PIN protection. Among other things, this makes it possible for someone to connect a USB cable to Google Glass and download data. And WiFi presents an over-the-air threat.

Yet, the risks extend beyond someone gaining physical access to the device or inadvertently posting information on social media sites. Since Google Glass relies on the Android operating system, it is vulnerable to the same types of malware and attacks that affect Android phones and tablets.

The list of potential problems includes keyloggers and other Trojans. With unfettered access, someone could access passwords stored in Google Glass or secretly watch a Glass user type passwords into other devices.

Jay Freeman, a security expert on the Android platform, has pointed out in a recent blog post that once an intruder has root-level access on Google Glass, the stakes are higher than on a smartphone or tablet. With access to the camera or microphone, a hacker can view images and audio on the device at any time.

The solution? Some organizations—particularly those that deal with sensitive documents and data—should consider banning the use of Google Glasses outright, Irvine says. In fact, some experts predict that widespread workplace bans will become commonplace once the product is released commercially.

Another approach, he says, is to block automatic WiFi access within a work environment. However, it is not possible to automatically recognize Google Glass and differentiate it from any other device based on a MAC address.

It’s also wise to use filtering technology, data loss prevention (DLP) and other security tools to monitor and block communication with specific sites and sharing services, including Google+, Dropbox and SkyDrive. “It’s important to use multiple types and layers of security solutions,” Irvine advises.

Finally, there’s a need to develop strong, clear policies across an organization. “One of the best things organizations can do,” Irvine says, “is to develop policies for use, and clear restrictions and guidelines about where Google Glass can be used and how it can be used.

“Although Google Glass offers some remarkable capabilities, it also presents clear security risks. The best things an organization can do are to approach the device with caution and ensure that security systems are in place to deal with its capabilities.”