VRChat, Steam VR and High Fidelity included a vulnerability that could be exploited by hackers to take control of a user’s virtual reality headset and PC. Proof that VR is not yet at the level of cybersecurity…
Security researchers Alex Radocea and Philip Pettersson made a disturbing discovery, which they unveiled this week at the Montreal Recon conference. By examining the different applications of Social VR, they discovered vulnerabilities in the Steam VR platform, the popular VRChat app and the High Fidelity open source platform.
By exploiting a security vulnerability in these three applications, the two researchers managed to gain control of the computers of other users. To do this, it was enough to invite users in a chat room.
VRChat and Steam VR: virtual reality lacks cybersecurity
The vulnerabilities were immediately reported to the developers, who hastened to correct them. However, these particularly dangerous bugs demonstrate that cybersecurity is not at all developed in the field of virtual reality.
Moreover, being hacked into virtual reality is even more problematic than on a PC or smartphone. For good reason, as the two researchers explain, hackers have direct access to the senses of their victim. The cybercriminal can see through the eyes of his prey through the cameras of the headphones, and hear what he says through the microphones.
In their experiments, researchers were also able to project images into the victim’s headset. Thus, it is possible to alter the virtual world that he perceives without even realizing it. There are countless possibilities for hackers to trap VR helmet users…
According to the two researchers, the hackers could even have created a worm: a malware that could spread by infecting anyone who entered a chat room, and inviting all his friends to join him. Thus, all the users of VRChat or SteamVR could quickly be contaminated, like the users of MySpace with the worm of 2005…
It is therefore imperative that the VR application developers and the helmet manufacturers make every effort to secure the hardware and software of virtual reality. If not, the democratization of virtual reality is likely to be accompanied by numerous cybersecurity incidents.