According to a new research paper presented at this year’s IEEE Security & Privacy Workshop, current VR solutions on the market, along with a number of top VR social experiences and games, are open to hacking that could go as far as causing physical danger. Researchers were reportedly able to gather a large amount of relevant user and system data through simple network traffic analysis. The team also used a proof-of-concept exploit and resulting virus on a compromised sample PC to edit the parameters of a tested VR experience, resulting in a situation that could cause real physical danger to VR users and those nearby if a hacker or other malicious agent uses a similar approach on real victims.
To give some background, most room-scale VR experiences, such as ones offered by the HTC Vive and Oculus Rift, have a border that players hit when they’re starting to approach the edge of their designated play area. This border in the virtual world lets them know that they’re getting out of their designated VR space in the real world. Under the right conditions, the parameters of that border could be edited to essentially either railroad a hapless VR user into a real-life hazard or allow them to exit their normal play area, causing danger. Hackers could even create a modified or sullied room using an instance ID from a legitimate session, and drop players into it. VR is said to have already claimed its first victim that succumbed to physical injuries in Russia earlier this year, albeit initial reports suggest that the incident in question was a freak accident and not a result of any hacking taking place.
The social experiences tested were Bigscreen, Altspace VR, Rec Room and Facebook Spaces, and the implications were clear; in most cases, all it took to harvest players’ information was being on the same network, and all it took to put players in real danger was compromising the PC being used. Since consumer Windows machines are known for lackluster security compared to more specialized systems, the risk here is very real. In order to safeguard users from data breaches, physical harm and other dangers, VR will have to be made more secure, which could mean things like sandboxing experiences, delivering them through the cloud, and even factoring in VR when creating consumer-facing PC security solutions.