A team of researchers at the University of New Haven discovered that Bigscreen, a well-known and popular virtual reality (VR) application, and Unity, the game development platform BigScreen is built on, are vulnerable to hackers.
Bigscreen, which describes itself as a “virtual living room,” enables users to watch movies, collaborate on projects together and more.
Without users’ knowledge and consent – and without tricking users into downloading software or granting access to the computer – University of New Haven researchers were able to:
~~ Turn on user microphones and listen to private conversations;
~~ Join any VR room including private rooms;
~~ Create a replicating worm that infects users as soon as they enter a room with other VR users;
~~ View user computer screens in real time;
~~ Send messages on a user’s behalf;
~~ Download and run programs – including malware – onto user computers;
~~ Join users in VR while remaining invisible. This novel attack was termed as a Man-In-The-Room (MITR) attack;
~~ Phish users into downloading fake VR drivers.
There is YouTube proof of concept video summarizing and demonstrating the findings.
“Our research shows hackers are able to monitor people day in and day out – listen to what they are saying and see how they are interacting in virtual reality,” said Ibrahim Baggili, founder and co-director of the University of New Haven Cyber Forensics Research and Education Group (https://www.unhcfreg.com). “They can’t see you, they can’t hear you, but the hacker can hear and see them, like an invisible Peeping Tom. A different layer of privacy has been invaded.”
Baggili and his team presented the research findings to Bigscreen and Unity. Bigscreen CEO and Founder Darshan Shankar said Feb. 14 the company has patched the issues. Unity recently added language to its website warning users the platform can be “used to of.”
Baggili and his team have not performed tests to determine if vulnerabilities still exist.
The researchers – Baggili, Elder Family Endowed Chair of Computer Science and Cybersecurity and an internationally recognized expert in cybersecurity and digital forensics; master’s student Peter Casey; and Martin Vondráček, visiting master’s student from Brno University of Technology, recently uncovered the technology vulnerabilities while testing the security of VR systems through a National Science Foundation-funded project. Martin Vondráček then wrapped up the research into a command and control tool to show the severity of the findings. For disclosure details, go to the University of New Haven Forensic Sciences Research & Education Group website: https://www.unhcfreg.com/.
According to Bigscreen, users log up to 20-30 hours a week using the system, with some logging over 1000 hours. TechCrunch reported in 2017 the company had 150,000 users.
Baggili and Casey have uncovered susceptibilities in other popular virtual reality systems – including HTC Vive and Oculus Rift – revealing that hackers could alter the experience of users. Several years ago, Baggili and his team uncovered liabilities in the messaging apps WhatsApp, Viber and others that affected more than 1.5 billion users, garnering significant international media coverage.