Virtual Reality Headsets Pose New Cybersecurity Threats, Warns Recent Study

Virtual Reality Headsets Vulnerable to Hackers: A Cybersecurity Concern

August 9, 2023 | by

Introduction

In our increasingly digitized world, virtual reality (VR) and augmented reality (AR) have emerged as transformative technologies, promising to immerse us in new digital realms and revolutionize our online experiences. However, recent studies by computer scientists at the University of California, Riverside have shed light on a concerning vulnerability associated with VR headsets and their virtual keyboard interfaces. These findings, set to be presented at the annual Usenix Security Symposium, reveal that hackers can exploit these interfaces to spy on users, potentially compromising their privacy and security.

The Metaverse and VR Headsets

The metaverse, a concept currently being developed by tech giants such as Facebook’s Mark Zuckerberg, envisions a virtual reality ecosystem where users can engage in a range of activities, from gaming and socializing to work collaboration and e-commerce. These experiences heavily rely on VR headsets that track users’ bodily motions, allowing them to navigate and interact with these virtual worlds. However, the very technology that enables this immersion also presents new opportunities for hackers to exploit.

A Glimpse into the Vulnerability

Professors Jiasi Chen and Nael Abu-Ghazaleh, along with their research team at UCR’s Bourns College of Engineering, have demonstrated the potential for spyware to capture users’ every motion and use artificial intelligence to translate those movements into words with an accuracy exceeding 90%. The researchers showed that if a malicious application is running alongside other applications on a VR headset, it can monitor and record user movements, as well as expose their interactions with the headset itself.

For instance, while engaged in a virtual game, if a user takes a break to check their Facebook messages by air typing their password on a virtual keyboard generated by the headset, the spyware embedded in another application could capture that password. Additionally, by interpreting users’ body movements during virtual meetings where sensitive information is discussed, hackers could potentially gain unauthorized access to confidential data.

Presenting the Research

In two papers, set to be presented at the Usenix Security Symposium, the research team details their findings and highlights the cybersecurity weaknesses present in AR and VR systems. The first paper, titled “It’s all in your head(set): Side-channel attacks on AR/VR systems,” illustrates how hackers can recover a user’s hand gestures, voice commands, and keystrokes on a virtual keyboard with a high degree of accuracy. The paper also outlines the attackers’ ability to identify launched applications and detect people standing near the headset user with remarkable distance accuracy.

The second paper, “Going through the motions: AR/VR keylogging from user head motions,” delves deeper into the vulnerability of virtual keyboards. It demonstrates how even subtle head movements made by users typing on these keyboards can be used by spies to infer the text being entered. The researchers developed TyPose, a system that employs machine learning to decipher these head motion signals and automatically infer the words or characters being typed.

Ethical Disclosure and Responsible Action

The research team’s intention is not to exploit these vulnerabilities but rather to highlight their feasibility and promote responsible disclosure. Before publishing their findings, they reach out to the tech industry, alerting them to the security weaknesses identified and giving them an opportunity to address these concerns. Only once the companies have had a chance to respond and consider potential fixes is the research shared with the wider public.

Implications and Advice

The research by Chen, Abu-Ghazaleh, and their team carries significant implications for the VR industry and technology users as a whole. It serves as a crucial reminder that as we adopt new technologies, we must remain vigilant about the potential risks they pose to our privacy and security.

For VR headset users, it is essential to be aware of the potential security vulnerabilities associated with virtual keyboards and the information they may transmit. Consider adopting additional security measures, such as regularly updating software and firmware, using strong passwords, and being cautious while inputting sensitive information while wearing a headset.

On the industry side, VR headset manufacturers should work closely with cybersecurity professionals to implement robust security measures within their products. Conducting rigorous security assessments, implementing encryption protocols, and regularly updating firmware will help safeguard against potential attacks. Additionally, promoting responsible disclosure by collaborating with researchers and promptly addressing vulnerabilities will enhance user trust and strengthen the industry as a whole.

As we navigate the ever-evolving landscape of digital experiences, it is essential that we balance innovation with security. The potential of VR and AR to transform various facets of our lives remains promising. However, it is crucial that both users and developers prioritize the protection of personal information and the safeguarding of user experiences.