Security researchers released a video yesterday showing how flaws that most programmers often underestimate could allow hackers to evade privacy and security of your virtual reality experience.
According to the researchers—Ibrahim Baggili, Peter Casey and Martin Vondráček—the flaws, are found in a virtual reality (VR) application called Bigscreen and the Unity game development platform.
Bigscreen is a popular virtual reality application which describes itself as a “virtual living room,” enabling friends to hang out together in virtual world, watch movies in a virtual cinema, chat in the lobby and more.
Things Hackers Can Do
The vulnerabilities in the app allowed researchers to hijack web infrastructure and perform multiple attack through a custom-designed command-and-control server, including:
- discover private rooms,
- join any VR room,
- eavesdrop on users while remaining invisible,
- view VR users’ computer screens in real-time,
- stealthily receive victim’s screen sharing and microphone audio,
- send messages on the user’s behalf,
- remove/ban users from a room
- setup a worm that could spread across the Bigscreen community,
- and many more.
Besides these flaws, a different flaw in the Unity’s API allowed them to take control over users’ computers by downloading and installing malware without requiring any interaction.
Bigscreen and Unity Engine Flaws
Technical details shared with Hack Hex, multiple flaws in question are cross-site scripting (XSS) issues that reside in the input fields where VR users are supposed to submit their username, room name, room description and room category.
“The payload script will be executed upon the browser-based player entering a room affecting all members of the room. This attack vector allows for the modification/invocation of any variable/function within the scope of the Window,” researchers told Hack Hex.
“We observed a lack of authentication when handling private room joining and communications with the Bigscreen signaling server. As a result, several potential vulnerabilities arise, to include denial of service, manipulation of public rooms, brute force attacks, and server resource exhaustion.”
“The function Unity.openLink() was found to launch web links in the default 6 browsers. An XSS attack containing an HTTP, FTP, or SMB link could cause arbitrary files to be fetched and downloaded,” researchers told Hack Hex.
“We expect that most of the applications using affected Unity API may be vulnerable.”The team discovered the vulnerabilities while testing the security of VR systems through its National Science Foundation-funded project.
Man-in-the-Room is a attack where a hacker secretly joins a room while remaining invisible to other users.
“They can’t see you, they can’t hear you, but the hacker can hear and see them, like an invisible Peeping Tom. A different layer of privacy has been invaded,” Ibrahim Baggili, founder and co-director of the Cyber Forensics Research and Education Group, said.
Bigscreen uses Libraries (DLLs) without checking, which allowed the researchers to modify the source code of selected libraries and change its behaviour, letting them hide their presence from UI using XSS payloads.
“Our proof-of-concept WebRTC application was able to connect to legitimate Bigscreen application. This lead to complete control over one end of audio/video/microphone/data streams. Our application was invisible in the VR room because it did not send any data to other peers,” the researchers said.
Bigscreen acknowledged the security vulnerabilities and released the new Bigscreen Beta “2019 Update” which fully patches the issues.
Unity acknowledged the vulnerabilities by merely adding a note to its documentation stating that its platform “can be used to open more than just web pages, so it has important security implication you must be aware of.”