Vulnerability in virtual reality systems identified
Incep­tion Attacks: A user thinks they are inter­act­ing direct­ly with a VR app launched from the VR home screen, when they are in fact run­ning a sim­u­lat­ed VR app inside the attacker’s incep­tion lay­er. Cred­it: arX­iv (2024). DOI: 10.48550/arxiv.2403.05721

A team of com­put­er sci­en­tists at the Uni­ver­si­ty of Chica­go has uncov­ered a poten­tial vul­ner­a­bil­i­ty in vir­tu­al real­i­ty systems—one that could allow a hack­er to insert what the team describes as an “incep­tion lay­er” between a user’s VR Home Screen and their VR User/Server. The team has post­ed a paper describ­ing their work and their find­ings on the arX­iv preprint serv­er.

Vir­tu­al real­i­ty sys­tems allow users to inter­act in a vir­tu­al world—one where vir­tu­al­ly any­thing imag­in­able is pos­si­ble. In this new effort, the research team imag­ined a sce­nario where hack­ers could add an app to a user’s VR head­set that tricks users into behav­ing in ways that could reveal sen­si­tive infor­ma­tion to the hack­ers.

The idea behind the app is that it could add a lay­er between the user and the vir­tu­al world the user nor­mal­ly sees when using their VR device. They call it an incep­tion lay­er, after the movie where a char­ac­ter played by Leonar­do DiCaprio has an altered lay­er of real­i­ty down­loaded into his brain.

In this case, such a lay­er, the researchers sug­gest, could allow hack­ers to record infor­ma­tion, such as a pass­code entered into a vir­tu­al ATM. It could also inter­cept and alter infor­ma­tion, such as cash amounts des­ig­nat­ed for a purchase—and rout­ing the dif­fer­ence to the hack­er’s bank account.

It could even add imagery to the VR world, such as char­ac­ters rep­re­sent­ing friends or fam­i­ly and use such a ruse to gain trust or access to secrets. In short, it could mon­i­tor or alter ges­tures, voice ema­na­tions, brows­ing activ­i­ty and social or busi­ness inter­ac­tions.

Such an app, the research team notes, could be down­loaded on a user’s VR device if they man­aged to hack their WiFi net­work, or gain phys­i­cal access. And once installed, it could run with­out notice from the user. The researchers test­ed this last pos­si­bil­i­ty by enlist­ing the assis­tance of 28 vol­un­teers who played a game using a demon­stra­tion VR head­set.

The researchers then down­loaded an app onto the devices, sim­u­lat­ing a hack­ing, and then asked the vol­un­teers if they had noticed anything—the down­load and acti­va­tion process caused a tiny bit of a flick­er­ing. Only 10 of the vol­un­teers noticed and just one of them ques­tioned whether some­thing nefar­i­ous was occur­ring.

The research team noti­fied Meta, mak­ers of the Meta Quest VR sys­tem that was used in the exper­i­ment, of their find­ings, and the com­pa­ny respond­ed by report­ing back that they plan to look into the poten­tial vul­ner­a­bil­i­ty and fix it if it is con­firmed. The researchers also note that such vul­ner­a­bil­i­ties are like­ly to exist on oth­er sys­tems and oth­er types of apps that also seek to insert them­selves between users and their VR devices.

More infor­ma­tion:
Zhuolin Yang et al, Incep­tion Attacks: Immer­sive Hijack­ing in Vir­tu­al Real­i­ty Sys­tems, arX­iv (2024). DOI: 10.48550/arxiv.2403.05721

Jour­nal infor­ma­tion:

© 2024 Sci­ence X Net­work

Vul­ner­a­bil­i­ty in vir­tu­al real­i­ty sys­tems iden­ti­fied (2024, March 25)
retrieved 2 April 2024

This doc­u­ment is sub­ject to copy­right. Apart from any fair deal­ing for the pur­pose of pri­vate study or research, no
part may be repro­duced with­out the writ­ten per­mis­sion. The con­tent is pro­vid­ed for infor­ma­tion pur­pos­es only.