Cyber Hacking News

Hacking Virtual Reality – Researchers Exploit Bigscreen VR App

0

 

The privacy and security of your virtual reality experience and real world can be tricked by hackers by exploiting a vulnerability which the developers normally don’t consider as a serious one. A video demonstration of this was released by a team of cybersecurity researchers from the University of New Haven.

The researchers—Ibrahim Baggili, Peter Casey and Martin Vondracek states that the principal vulnerabilities were found in the popular virtual reality (VR) application named Bigscreen and the Unity game development platform, on which Bigscreen is built. The technical details of the vulnerability is not yet disclosed to the public.

Bigscreen which is a popular VR application describes itself as a “virtual living room,” that permits people to socialize together in virtual world, watch virtual movies, chat, make private rooms, collaborate on projects together, share their computer screens in a virtual environment and much more.

Things Hackers Can Do to Your VR Experience

The flaws in Bigscreen app let the researchers to remotely hijack Bigscreen’s web infrastructure which runs behind its desktop application and perform multiple attack scenarios through a custom-designed command-and-control server, which includes discover private rooms, join any VR room, including private rooms, eavesdrop on users while remaining invisible in any VR room, view VR users’ computer screens in real-time, stealthily receive victim’s screen sharing, audio, and microphone audio, send messages on the user’s behalf, remove/ban users from a room setup a self-replicating worm that could spread across the Bigscreen community etc.

Another different vulnerability in the Unity Engine Scripting API that researchers exploited together with the Bigscreen flaw is that they could take complete control over VR users’ computers by downloading and installing malware without the knowledge of the user. They could also run malicious commands without any authentication.

Bigscreen VR App and Unity Engine Vulnerabilities

Multiple Bigscreen flaws in question are persistent/stored cross-site scripting (XSS) issues which is found in the input field section where VR users provide their details like username, room name, room description and room category in the Bigscreen app.

Since the vulnerable input boxes were not sanitized, attackers could have leveraged the flaw to inject and execute malicious JavaScript code on the application installed by other users connecting to the Bigscreen lobby and VR rooms.

The attackers can also inject malicious JavaScript payloads to leverage an undocumented and potentially dangerous Unity Scripting API to secretly download malware from the Internet and execute it on a targeted system or for all users.

https://www.youtube.com/watch?v=N_Z3mfzLZME

Man-in-the-Room (MITR) Attack

Man-in-the-Room is one of the attack methods where a hacker secretly joins a VR room while remaining invisible to other users in the same room.

Bigscreen application uses Dynamically Loaded Libraries (DLLs) without integrity checking that allowed the researchers to modify the source code of selected libraries and change its behavior, letting them hide their presence from UI using XSS payloads.

The team had reported the findings to both Bigscreen and Unity. Bigscreen acknowledged the security vulnerabilities in its “servers and streaming systems” and released the patch Bigscreen Beta “2019 Update”.

Unity acknowledged the vulnerabilities by only adding a note to its documentation stating that its platform “can be used to open more than just web pages, so it has important security implication you must be aware of.”

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Critical flaw in Drupal: Patch this bug urgently

    Previous article

    New Attacks Against 4G, 5G Mobile Networks Re-Enable IMSI Catchers

    Next article

    You may also like

    Comments

    Leave a reply

    Your email address will not be published. Required fields are marked *