2 min read

Hackers Can Follow You in the Virtual World

Ionut ILASCU

March 19, 2019

Hackers Can Follow You in the Virtual World

Virtual reality is a promising bet for tech companies. The concept draws an increasing number of users who congregate in immaterial spaces. Perceived as a separate habitat, its security is anchored in the real world, though, and hackers could influence the experience or take advantage of flaws in supporting apps to snoop on your computer.

Usually, the options in virtual reality are within the limits of an application that connects the VR gear (e.g. Oculus Rift, HTC Vive, Windows Mixed Reality) to the computer and renders the virtual space to the user. These apps let you interact with other users in social rooms, watch movies in virtual theaters, collaborate on projects, or dive into the unreal world of gaming.

Researchers in the Cyber Forensics Research & Education Group at the University of New Haven have explored the possibilities of hacking in virtual reality and have drawn some frightful conclusions. Their most recent work allowed them to gain full access to a VR user’s computer, follow them in the fantasy realm, seeing and hearing everything, all without tricking the victim into running malware or alerting them in any way.

They attack, which they dubbed “man-in-the-room,” leveraged vulnerabilities in the Bigscreen VR app that allowed them to infect lobbies and rooms it creates for users to congregate and interact; the attacker would have admin-level powers, with the power to ban and kick users out of the room, or send them messages on behalf of other visitors.

Anyone accessing these spaces would automatically become a victim, their computers shared with the attacker. The attacker could browse and open files, execute and download software. This would open the door to infecting the computer with malware that would offer permanent access to the machine.

Simply put, the researchers poisoned the Bigscreen infrastructure, allowing them access to the system of anyone joining the VR party, either in public or private rooms. The researchers explain the infection process and the level of control obtained this way in a recently released video:

In previous work exploring the possibilities of hacking in the virtual environment, researchers from the same group managed to force a VR user to unknowingly move, physically, to a specific point in the room during game play. They achieved this by constantly modifying the data that guides the player in the virtual world, thus feeding slightly changed coordinates to the head gear.

Because the player moves according to the reality in the game, they don’t notice the small steps they take towards a point set by the attacker. In the end, the player ends up in a different position than when they started the game, which could be in harm’s way (an open window, a flight of stairs, or various obstacles in the room).

The experimental research took advantage of the lack of encryption in Guardian, the program from Oculus that dictates movement in the virtual reality. It required compromising the target computer and did not consider antivirus protection. A video demonstrating the attack is available below:

Despite the demonstrative nature of this work, the results clearly show that virtual reality is not exempt from flaws. Serious attacks, both theoretical and practical, are possible, and they have an impact in the real world.

 

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Google Prepares to Reset App Permissions on Billions of Devices Google Prepares to Reset App Permissions on Billions of Devices
Silviu STAHIE

September 20, 2021

1 min read
Sideloading Android Apps - Bane or Blessing for Android Users Sideloading Android Apps - Bane or Blessing for Android Users
Silviu STAHIE

September 20, 2021

2 min read
FTC Says Companies Operating Health Apps and Connected Devices Must Inform Users of Data Breaches FTC Says Companies Operating Health Apps and Connected Devices Must Inform Users of Data Breaches
Silviu STAHIE

September 17, 2021

1 min read