Hackers Can Follow You in the Virtual World

Virtual reality is a promising bet for tech companies. The concept draws an increasing number of users who congregate in immaterial spaces. Perceived as a separate habitat, its security is anchored in the real world, though, and hackers could influence the experience or take advantage of flaws in supporting apps to snoop on your computer.

Usually, the options in virtual reality are within the limits of an application that connects the VR gear (e.g. Oculus Rift, HTC Vive, Windows Mixed Reality) to the computer and renders the virtual space to the user. These apps let you interact with other users in social rooms, watch movies in virtual theaters, collaborate on projects, or dive into the unreal world of gaming.

Researchers in the Cyber Forensics Research & Education Group at the University of New Haven have explored the possibilities of hacking in virtual reality and have drawn some frightful conclusions. Their most recent work allowed them to gain full access to a VR user’s computer, follow them in the fantasy realm, seeing and hearing everything, all without tricking the victim into running malware or alerting them in any way.

They attack, which they dubbed “man-in-the-room,” leveraged vulnerabilities in the Bigscreen VR app that allowed them to infect lobbies and rooms it creates for users to congregate and interact; the attacker would have admin-level powers, with the power to ban and kick users out of the room, or send them messages on behalf of other visitors.

Anyone accessing these spaces would automatically become a victim, their computers shared with the attacker. The attacker could browse and open files, execute and download software. This would open the door to infecting the computer with malware that would offer permanent access to the machine.

Simply put, the researchers poisoned the Bigscreen infrastructure, allowing them access to the system of anyone joining the VR party, either in public or private rooms. The researchers explain the infection process and the level of control obtained this way in a recently released video:

In previous work exploring the possibilities of hacking in the virtual environment, researchers from the same group managed to force a VR user to unknowingly move, physically, to a specific point in the room during game play. They achieved this by constantly modifying the data that guides the player in the virtual world, thus feeding slightly changed coordinates to the head gear.

Because the player moves according to the reality in the game, they don’t notice the small steps they take towards a point set by the attacker. In the end, the player ends up in a different position than when they started the game, which could be in harm’s way (an open window, a flight of stairs, or various obstacles in the room).

The experimental research took advantage of the lack of encryption in Guardian, the program from Oculus that dictates movement in the virtual reality. It required compromising the target computer and did not consider antivirus protection. A video demonstrating the attack is available below:

Despite the demonstrative nature of this work, the results clearly show that virtual reality is not exempt from flaws. Serious attacks, both theoretical and practical, are possible, and they have an impact in the real world.