Researchers have identified several potential “initial attack” methods for VR headset owners. (Image credit: Artur Debat/Getty Images)
Scientists have discovered a vulnerability in virtual reality (VR) devices that allows hackers to access personal data without users' knowledge.
An attacker can insert a new “layer” between the user and the device’s default image source. They can then inject a fake app into the VR headset, which can trick the owner into acting a certain way or revealing their data. This process is called the “inception layer,” a reference to Chris Nolan’s 2010 sci-fi thriller, in which spy agents infiltrate the target’s mind and plant an idea they believe is theirs.
The “Inception attack” in the context of virtual reality was detailed in a paper published on March 8 on the preprint platform arXiv, and the team successfully tested it on all versions of the Meta Quest headset.
Researchers have identified several possible ways to hack a VR headset, including connecting to a victim’s Wi-Fi and “sideloading” — where a user installs an app (possibly containing malware) from an unofficial app store. These apps can either disguise themselves as a basic VR experience or as a legitimate app.
In their paper, the scientists argue that this is possible because VR headsets do not have security protocols that are even remotely comparable to those used in more common devices such as smartphones or laptops.
Using this new false layer, hackers can control and manipulate interactions in the virtual environment. The user does not even realize that he is interacting with a malicious copy of the application, for example, used to communicate with friends.
Examples of actions an attacker could take include changing the amount of money transferred — and its destination — in any online transaction and registering login credentials. Hackers could even add a fake VRChat app and use it to listen in on conversations or alter live audio using artificial intelligence (AI) to impersonate another participant.
“Virtual reality headsets have the potential to provide users with deeply immersive experiences comparable to reality,” the researchers wrote in the paper. “However, from a security perspective, if used improperly, virtual reality systems can become a source of attacks with much more serious consequences than traditional methods.”
They say immersive touch input can give users a false sense of security, making them more likely to reveal personal information and trust what they see compared to other computing environments.
Attacks in VR can also be difficult to detect because the environment is designed to mimic real-world interactions — unlike the cues you see in traditional computing. In a test of 28 participants, only 10 were able to notice that an attack had already begun — it was a fleeting “glitch” in their field of vision, like a slight flicker of the image.
The researchers outlined several potential defenses against such attacks in their paper, but also stressed that manufacturers should inform users of any signs that their headset is under attack. These include minor visual anomalies and crashes.
They added that such attacks could become more common over time. However, companies like Meta still have time to develop and implement countermeasures before VR headsets become more popular and cybercriminals start to see them as an attractive attack vector.
Sourse: www.livescience.com
