Computer scientists at the University of California, Riverside have discovered that the hardware and virtual keyboard interfaces used in Augmented Reality (AR) and Virtual Reality (VR) headsets open up opportunities for hackers. These findings were detailed in two papers presented at the annual Usenix Security Symposium, a leading international conference on cyber security.
AR and VR technology, currently being developed by industry giants like Facebook’s Mark Zuckerberg, rely on headsets that interpret bodily motions to navigate new digital worlds. This means that hackers can potentially exploit these motions to gain access to sensitive information.
The team at UC Riverside’s Bourns College of Engineering demonstrated that spyware can monitor and record a user’s movements and then use artificial intelligence to translate those movements into words with a high degree of accuracy. This means that if a malicious application is running alongside others, it can spy on the user’s interactions with the headset and capture sensitive information such as passwords.
For example, if a user takes a break from a virtual game to check their Facebook messages by air-typing the password on a virtual keyboard, the spyware could capture that password. Similarly, hackers could interpret body movements during virtual meetings to gain access to confidential information.
The first paper presented at the conference, titled “It’s all in your head(set): Side-channel attacks on AR/VR systems,” details how hackers can recover hand gestures, voice commands, and keystrokes on a virtual keyboard with an accuracy exceeding 90%. The second paper, “Going through the motions: AR/VR keylogging from user head motions,” explores the security risks of using a virtual keyboard and shows how subtle head movements can be used to infer the text being typed.
Both papers aim to address the cybersecurity weaknesses present in the AR and VR industry. The researchers responsibly disclose their findings to the companies involved, giving them an opportunity to address the vulnerabilities before the findings are published.
These discoveries serve as a reminder that as technology advances, so do the risks associated with it. It is crucial for companies to address these vulnerabilities to ensure a safe and secure digital experience for users.