A team of cybersecurity researchers from the University of New Haven yesterday released a video demonstrating how vulnerabilities that most programmers often underestimate could have allowed hackers to evade privacy and security of your virtual reality experience as well as the real world.According to the researchers—Ibrahim Baggili, Peter Casey and Martin Vondráček—the underlying vulnerabilities, technical details of which are not yet publicly available but shared exclusively with The Hacker News, resided in a popular virtual reality (VR) application called Bigscreen and the Unity game development platform, on which Bigscreen is built.
Bigscreen is a popular VR application that describes itself as a “virtual living room,” enabling friends to hang out together in virtual world, watch movies in a virtual cinema, chat in the lobby, make private rooms, collaborate on projects together, share their computer screens or control in a virtual environment and more.Scary Things Hackers Can Do to Your VR Experience

As shown in the video, the flaws in Bigscreen app literally allowed researchers to remotely hijack Bigscreen’s web infrastructure (that runs behind its desktop application) and perform multiple attack scenarios through a custom-designed command-and-control server, including:discover private rooms,
join any VR room, including private rooms,
eavesdrop on users while remaining invisible in any VR room,
view VR users’ computer screens in real-time,
stealthily receive victim’s screen sharing, audio, and microphone audio,
send messages on the user’s behalf,
remove/ban users from a room
setup a self-replicating worm that could spread across the Bigscreen community,
and many more.
What’s even more Worrisome? Besides this, a different vulnerability in the Unity Engine Scripting API that researchers exploited in combination with the Bigscreen flaw, allowed them to even take complete control over VR users’ computers by secretly downloading and installing malware or running malicious commands …

Go to Source


Comments are closed.