Why we need better defenses against VR cyberattacks

This story originally appeared in The Algorithm, our weekly newsletter on AI. To get stories like this in your inbox first, sign up here. I remember the first time I tried on a VR headset. It was the first Oculus Rift, and I nearly fainted after experiencing an intense but visually clumsy VR roller-coaster. But…
Why we need better defenses against VR cyberattacks

I just published a story about a new kind of security vulnerability discovered by researchers at the University of Chicago. Inspired by the Christoper Nolan movie Inception, the attack allows hackers to create an app that injects malicious code into the Meta Quest VR system. Then it launches a clone of the home screen and apps that looks identical to the user’s original screen. Once inside, attackers are able to see, record, and modify everything the person does with the VR headset, tracking voice, motion, gestures, keystrokes, browsing activity, and even interactions with other people in real time. New fear = unlocked. 

The findings are pretty mind-bending, in part because the researchers’ unsuspecting test subjects had absolutely no idea they were under attack. You can read more about it in my story here.

It’s shocking to see how fragile and unsecure these VR systems are, especially considering that Meta’s Quest headset is the most popular such product on the market, used by millions of people. 

But perhaps more unsettling is how attacks like this can happen without our noticing, and can warp our sense of reality. Past studies have shown how quickly people start treating things in AR or VR as real, says Franzi Roesner, an associate professor of computer science at the University of Washington, who studies security and privacy but was not part of the study. Even in very basic virtual environments, people start stepping around objects as if they were really there. 

VR has the potential to put misinformation, deception and other problematic content on steroids because it exploits people’s brains, and deceives them physiologically and subconsciously, says Roesner: “The immersion is really powerful.”  

And because VR technology is relatively new, people aren’t vigilantly looking out for security flaws or traps while using it. To test how stealthy the inception attack was, the University of Chicago researchers recruited 27 volunteer VR experts to experience it. One of the participants was Jasmine Lu, a computer science PhD researcher at the University of Chicago. She says she has been using, studying, and working with VR systems regularly since 2017. Despite that, the attack took her and almost all the other participants by surprise. 

“As far as I could tell, there was not any difference except a bit of a slower loading time—things that I think most people would just translate as small glitches in the system,” says Lu.  

One of the fundamental issues people may have to deal with in using VR is whether they can trust what they’re seeing, says Roesner.