Researchers Discover Security Flaws In Bigscreen VR App
The issues have since been addressed in a patch released by Bigscreen, Inc.
According to researchers based out of the University of New Haven in West Haven, Connecticut (go Chargers!), Bigscreen, a popular remote desktop application/social experience for VR headsets, has been openly susceptible to hackers due to a series of critical security vulnerabilities; allowing strangers to perform a variety of invasive activities without a users consent.
In a blog post published by the university, a team of researchers led by Ibrahim Baggili, Elder Family Endowed Chair of Computer Science & Cybersecurity and a well-known veteran in cybersecurity and digital forensics; master’s student Peter Casey; and Martin Vondráček, a master’s student from Brno University of Technology, say they were able to remotely activate a Bigscreen users mic and listen to private conversations, view their desktop screen, download and install malicious software, send messages from their personal account, even spread a computer worm that infects every user that visits a specific lobby.
Check out this full list of vulnerabilities presented by the research team:
- Turn on user microphones and listen to private conversations
- Join any VR room including private rooms
- Create a replicating worm that infects users as soon as they enter a room with other VR users
- View user computer screens in real-time
- Send messages on a user’s behalf
- Download and run programs – including malware – onto user computers
- Join users in VR while remaining invisible. This novel attack was termed as a Man-In-The-Room (MITR) attack
- Phish users into downloading fake VR drivers
“Our research shows hackers are able to monitor people day in and day out – listen to what they are saying and see how they are interacting in virtual reality,” said Ibrahim Baggili, founder and co-director of the University of New Haven Cyber Forensics Research and Education Group (https://www.unhcfreg.com). “They can’t see you, they can’t hear you, but the hacker can hear and see them, like an invisible Peeping Tom. A different layer of privacy has been invaded.”
It’s what the team has chillingly labeled “Man-in-the-Room Attack”, referencing their ability to secretly join a users server and view their session as an invisible avatar.
During their investigation, the team claimed to also have discovered several concerning security flaws in the popular game engine Unity – upon which Bigscreen was developed. A full disclosure of their findings can be found here.
On February 14th, the research team presented their findings to Bigscreen and Unity, who have since provided a security patch and user warning respectively. The Connecticut-based team has previously revealed detramental flaws in various other VR platforms, such as the Oculus Rift and HTC Vive. Researchers have yet to confirm whether or not the issues have been officially rectified.
These security issues highlight the potential dangers of privacy invasion that will need to addressed as VR technology continues to find its way into the hands of consumers. If the thought of a stranger remotely accessing your desktop concerns you, image the level of paranoia that will develop as we begin to “live” inside these digital spaces.