Enigma You’d think virtual reality’s biggest problems right now are breaking into meaningful mainstream adoption, and not making wearers of the headsets look utterly ridiculous. But no, it’s possible you are wrong.
For we’re told the re-emergence of virtual and augmented reality hardware may bring with it hackers tormenting folks in new ways, or so believes an organization that says it’s tackling said hackers.
Speaking at this year’s USENIX Enigma conference in San Francisco, Kavya Pearlman, founder of the non-profit XR Safety Initiative (XRSI), outlined a number of ways miscreants could cause mischief after compromising headsets.
Her initiative is seeking donations to, among other goals, “establish safety and ethics standards” in virtual reality. The organization fears hackers could pwn internet-connected headsets just like they can break into home and corporate networks – which isn’t too unbelievable, truth be told. Witness the hijacking of poorly secured Ring devices by scumbags to intimidate and scare families.
On the one hand, it’s perhaps a little premature to be worrying about future security problems with virtual reality gear, given it’s a fad that surfaces and sinks every few years. On the other hand, fiends love finding new stuff on the internet to pwn – be it printers, hospitals, cloud servers, security cameras, and so on – so perhaps, with more net-connected techno-specs in use, this is something we can look forward to this decade.
“The attack surface that used to be your server or your network or your backend,” as Pearlman put it, “has now expanded to your living room, your objects that you surround yourself with.”
The most obvious dangers, according to Pearlman, are physical. Pointing to research conducted by XRSI and university eggheads, Pearlman warned of people being turned into “human joysticks” by hackers manipulating paths and directions in virtual worlds to redirect folks into harm’s way. Like stubbing your toe on a cupboard or tripping up over a coffee table, we presume. At a stretch, someone could, we dunno, fall on a buzz saw or into a vat of molten iron if they were, for some reason, using the gear in an industrial plant.
Meanwhile, folks could maybe fall victim to “chaperone” attacks in which boundaries preventing people from wandering into danger areas are removed. Then there’s the usual threat of ransomware scrambling device data, denial-of-service attacks knocking multi-user environments offline, remote-code execution bugs exploited to inject spyware into the techno-goggles, and, yeah, you get the idea.
Speaking of spyware: it’s possible, we’re told, to surveil someone by monitoring their compromised head gear. “Most of these devices have a front-facing camera,” Pearlman said, adding a team of researchers were “able to turn on the camera without the person’s knowledge and stream the video back to their server.”
Then there’s the potential for psychological attacks that use the immersion of virtual reality environments to freak out the wearer… until they pull the goggles off. “These technologies are so compelling,” Pearlman opined. “We can use these technologies to hijack somebody’s system and put them in a horror environment.”
While XRSI’s efforts to secure these gadgets are commendable – and forewarned is forearmed with security – with no documented exploits or attacks in the wild, and no mainstream adoption, panic ye not. ®
Harnessing the value of data