The frequency, potency, and sophistication of cybersecurity threats continue to surge. Any business which employs digital technology, which is to say all businesses, is vulnerable to the attacks of an assortment of rogue digital adversaries, from individual “hackers” (a misnomer we will confront and clear up) to networks of dissident programmers bound together to exploit systems for personal gain. The arrangements made to combat these threats are typically undeveloped, and even more so for virtual reality technology.
In other words, it’s like the Wild West, where the lone sheriff has to preserve his town from the assaults of roaming outlaws.
To display just how devastating a security breach can be, here are just a few of the biggest cybersecurity breaches:
- Ebay(May 2014) – 145 million users impacted
- Equifax(July 2017) – 148 million users impacted
- LinkedIn(2012 and 2016) – 165 million users impacted
- Yahoo(2013-2014) – 3 billion accounts impacted
- Zynga(2019) – 218 million user accounts impacted
Moreover, the repercussions of these breaches are not trivial. Massive corporations like the ones listed above must not only contend with the breach itself but the residual effects: lawsuits, negative public perception, and hits to share price. Big companies possess the means to ride out these breaches, but smaller companies do not.
Even More Bad News
If that wasn’t bad enough, new types of cybersecurity threats appear year after year. One particularly vicious emerging threat is the attack on Extended Reality technology. Extended Reality, or XR for short, is an umbrella term that refers to virtual reality, augmented reality, mixed reality, or any combination of the three. To understand more about XR, take a look at this article, here, where we describe the differences between each of these technologies.
So, why is the cybersecurity threat posed to XR technology so uniquely and acutely dangerous? Well, XR technology is vulnerable to traditional data breaches and Immersive Virtual Reality attacks. These attacks “Can potentially disorient users, turn their Head Mounted Display (HMD) camera on without their knowledge, overlay images in their field of vision, and modify VR environmental factors that force them into hitting physical objects and walls.”
Not only can adversaries hijack our personal info, but they can control what we experience in real-time to the point of funneling us through physical space.
Immersive Virtual Reality Attacks is a subject matter which Peter Casey, Ibrahim Baggili and Ananya Yarramreddy, researchers who have performed extensive work in cybersecurity at the University of New Haven, have examined in-depth in their paper “Immersive Virtual Reality Attacks and the Human Joystick” We will be referring an article (here) which cites this paper often. Let’s examine each high-level vulnerability which XR suffers from, below.
*Note: The term “hacker” is very broad and we’ll refrain from its use in this blog.
Data Breaches in Virtual Reality
The vulnerabilities that popular VR apps display are not unique to VR. A common method to exploit any system is to gain access through third party apps.
In the case of XR technology, the cybersecurity researchers at the University of New Haven were able to exploit vulnerabilities in a popular VR application called BigScreen, which enables users to interact with each other virtually and immersively. The researchers were able to hijack Bigscreen’s web infrastructure (that runs behind its desktop application) and perform multiple attack scenarios through a custom-designed command-and-control server, including:
- Discover private rooms
- Join any VR room, including private rooms
- Eavesdrop on users while remaining invisible in any VR room
- View VR users’ computer screens in real-time
- Stealthily receive victim’s screen sharing, audio, and microphone audio
- Send messages on the user’s behalf
- Remove/ban users from a room
- And many more
Further vulnerabilities in Bigscreen, along with other apps, allowed the adversary of the system to install software which further compromises the system. So, vulnerabilities in third-party apps were exploited for the adversary’s gain. This is nothing new, but, as we’ve seen, the effects are more frightening in the XR space.
Even Scarier Virtual Reality Attacks
XR is pregnable to an even more frightening incursion: Overlay Attacks. The Cybersecurity team at the University of New Haven has coined this term to refer to “Any attack that overlays unwanted images/video/content on a player’s VR view. The player will have no option to remove the content. This attack includes persistent images as well as content that remains fixed in virtual space.”
Imagine using your VR headset for something sensitive, say to walk a patient through a medical procedure. In the middle of this walkthrough, an adversary gains control and injects graphic overlays that frighten the patient. How comfortable will that patient be walking into that surgery?
An adversary doesn’t even need to control the system in real-time. He can configure the software to easily wreak havoc through automation!
Another alarming scenario is that adversaries can manipulate XR users to move through space! This type of manipulation is known as a “Human Joystick Attack”. “attempts to lead the player to an attacker defined direction and location by compounding imperceptible Virtual Environment translation. The gradual shift in the VE aims to cause the player to readjust their location to the new virtual center point.
XR technology has become so immersive, that subtle changes in the user’s virtual environment won’t be registered by that user!
With the potential to wreak so much devastation, why haven’t more institutions gotten the message that this is a threat to confront aggressively?
Firstly, cybersecurity, by its very nature is tough. It’s a cat and mouse game between the adversary and the target. The target, by definition, is anticipatory. It has to wait for the moves which the adversary will employ.
Furthermore, the scale and complexity of modern software architecture has grown exponentially. The digital tools that we use are replete with so much stuff, that there is often a vulnerability somewhere.
In conclusion, businesses, especially those businesses involved in writing software, must commit to protocols which prevent these attacks from happening. This means vetting third party apps which your software uses as well as testing your software often for vulnerabilities.
One final thought: If this all seems overwhelming, just remember that most businesses have never experienced a cybersecurity breach. Stay vigilant, informed and aware.