The privacy and security of your virtual reality experience and real world can be tricked by hackers by exploiting a vulnerability which the developers normally don’t consider as a serious one. A video demonstration of this was released by a team of cybersecurity researchers from the University of New Haven.
The researchers—Ibrahim Baggili, Peter Casey and Martin Vondracek states that the principal vulnerabilities were found in the popular virtual reality (VR) application named Bigscreen and the Unity game development platform, on which Bigscreen is built. The technical details of the vulnerability is not yet disclosed to the public.
Bigscreen which is a popular VR application describes itself as a “virtual living room,” that permits people to socialize together in virtual world, watch virtual movies, chat, make private rooms, collaborate on projects together, share their computer screens in a virtual environment and much more.
Things Hackers Can Do to Your VR Experience
The flaws in Bigscreen app let the researchers to remotely hijack Bigscreen’s web infrastructure which runs behind its desktop application and perform multiple attack scenarios through a custom-designed command-and-control server, which includes discover private rooms, join any VR room, including private rooms, eavesdrop on users while remaining invisible in any VR room, view VR users’ computer screens in real-time, stealthily receive victim’s screen sharing, audio, and microphone audio, send messages on the user’s behalf, remove/ban users from a room setup a self-replicating worm that could spread across the Bigscreen community etc.
Another different vulnerability in the Unity Engine Scripting API that researchers exploited together with the Bigscreen flaw is that they could take complete control over VR users’ computers by downloading and installing malware without the knowledge of the user. They could also run malicious commands without any authentication.
Bigscreen VR App and Unity Engine Vulnerabilities
Multiple Bigscreen flaws in question are persistent/stored cross-site scripting (XSS) issues which is found in the input field section where VR users provide their details like username, room name, room description and room category in the Bigscreen app.
Man-in-the-Room (MITR) Attack
Man-in-the-Room is one of the attack methods where a hacker secretly joins a VR room while remaining invisible to other users in the same room.
Bigscreen application uses Dynamically Loaded Libraries (DLLs) without integrity checking that allowed the researchers to modify the source code of selected libraries and change its behavior, letting them hide their presence from UI using XSS payloads.
The team had reported the findings to both Bigscreen and Unity. Bigscreen acknowledged the security vulnerabilities in its “servers and streaming systems” and released the patch Bigscreen Beta “2019 Update”.
Unity acknowledged the vulnerabilities by only adding a note to its documentation stating that its platform “can be used to open more than just web pages, so it has important security implication you must be aware of.”