Virtual Reality App Found with Critical Vulnerabilities

Cybersecurity researchers at University of New Haven were able to hack into virtual reality users allowing them to invisibly eavesdrop into VR rooms. The researchers were able to exploit vulnerabilities present in the Big screen virtual reality app and Unity game development platforms.

Bigscreen is widely popular free VR application available for Steam, allowing people to connect in the virtual world. Users come together in the ‘lobby’ or ‘virtual living room’ to create avatars, chat, watch movies in a virtual cinema style, work on projects, and much more.

The researchers were able to obtain access to users’ systems without their knowledge of what had happened. Further, they found that the vulnerabilities in Bigscreen allowed worms to spread from one user to the next.

The team conducted a successful man-in-middle attack using a command and control server. The C&C server was used to gain control of systems and listen into private rooms. To begin the attack controlling the C&C server began poisoning the lobby; the first user to join the lobby becomes infected. This user who then proceeds to create his own private room with a room ID shares his ID with friends. Once his friends use his room ID, the attacker is able to intercept and make a copy of the ID before sending it forward. Subsequently, the attacker proceeds to invisibly join the private room using the room ID. From that point, the attacker takes over all users in the chat room and is able to control their movements.

The attacker is able to capture screen sharing, audio, and microphone audio of users. Further, the user can also remove users, view computer screens in real-time, and send chats to users.

Ibrahim Baggili, founder and co-director of the University of New Haven Cyber Forensics Research and Education Group has stated:

“Our research shows hackers are able to monitor people day in and day out – listen to what they are saying and see how they are interacting in virtual reality….They can’t see you, they can’t hear you, but the hacker can hear and see them, like an invisible Peeping Tom. A different layer of privacy has been invaded.”

The New Haven cybersecurity research team has notified Bigscreen and Unity, who later patched the vulnerabilities.

Contact LIFARS immediately if your organization was infected