Researchers say they’ve found a way to lead players outside their digital boundaries in virtual reality through malware.
But there’s nothing stopping an attacker from changing what you see in VR, according to researchers from the University of New Haven in Connecticut. The researchers found that in a controlled attack, they were able to alter what a person could see in VR on the Oculus Rift and the Vive.
In fact, the systems include no protection to stop these kinds of attacks, Ibrahim Baggili, director of the university’s Cyber Forensics Research and Education Group (Unhcfreg), and the paper’s co-author, Peter Gromkowski, said in an interview.
The research comes in two papers, one published in April, and another currently under peer review by academics. The researchers are set to present their findings in May at a workshop that is part of a conference for the IEEE Symposium on Security and Privacy.
The report hints at the potential dangers of virtual reality, a once-hot tech that immerses you in a digital world through special gear like headsets and controllers. Even without the threat of a hack, interest in VR has stalled due to expensive hardware and the dearth of meaningful experiences, despite the backing of heavy hitters like Facebook, Google and Samsung.
Now Playing: Watch this: Dear VR: It’s not me, it’s you
The University of New Haven research team infected a computer through malware attached to an email in an effort to see what protections VR had on a compromised computer. They wanted to see how software on the Oculus Rift and the HTC Vive could stay secure if other safeguards failed.
“It was created with little security in mind, and they’re completely relying on the security of the operating system and the user,” Baggili said.
The attack tests were all done through OpenVR, a software development kit developed by Valve, and used by both Oculus and HTC when those systems are playing games on the Steam platform. Because the research team was focused on testing the integrity of the VR system, it didn’t take into account the antivirus software and other protections already in place on a user’s computers.
Oculus, a unit of Facebook, disagreed with the research findings on gaming vulnerabilities. Oculus said it worked with the team to address the flaws mentioned for Facebook Spaces and regularly invites researchers to participate in Facebook’s bug bounty program.
The majority of apps for Oculus run through its own store, and not on Steam, a person familiar with Oculus’ setup said.
Oculus said it has other protections for the data in place, and that adding encryption to Guardian, its program for guiding you through the virtual world, would only add unnecessary complexity and bugs.
“Guardian settings are not vulnerable unless your machine is compromised, in which case, every app and file on your computer is also susceptible,” said an Oculus spokesperson.
HTC didn’t comment on the study.
“We are evaluating the scenarios with our engineering team and do not have more to share at this time,” an HTC spokesman said.
Valve didn’t respond to a request for comment.
Gromkowski said VR systems shouldn’t just rely on their PCs for security. Password managers on compromised computers still have encrypted data and restricted access, he noted.
“Considering the sensitivity of the information,