University of New Haven Researchers Discover Critical Vulnerabilities in Popular Virtual Reality Application

Using Bigscreen, a popular virtual reality application, researchers at the University of New Haven were able to listen to users’ conversations and access their computers without their knowledge.

February 19, 2019

A team of researchers at the University of New Haven discovered that Bigscreen, a well-known and popular virtual reality (VR) application, and Unity, the game development platform BigScreen is built on, are vulnerable to hackers. Bigscreen, which describes itself as a "virtual living room," enables users to watch movies, collaborate on projects together and more.

Without users’ knowledge and consent – and without tricking users into downloading software or granting access to the computer – University of New Haven researchers were able to:

• Turn on user microphones and listen to private conversations
• Join any VR room including private rooms
• Create a replicating worm that infects users as soon as they enter a room with other VR users
• View user computer screens in real time
• Send messages on a user’s behalf
• Download and run programs – including malware – onto user computers
• Join users in VR while remaining invisible. This novel attack was termed as a Man-In-The-Room (MITR) attack
• Phish users into downloading fake VR drivers

Click here to view a YouTube proof of concept video summarizing and demonstrating the findings.

"Our research shows hackers are able to monitor people day in and day out – listen to what they are saying and see how they are interacting in virtual reality," said Ibrahim Baggili, founder and co-director of the University of New Haven Cyber Forensics Research and Education Group. "They can’t see you, they can’t hear you, but the hacker can hear and see them, like an invisible Peeping Tom. A different layer of privacy has been invaded."

Baggili and his team presented the research findings to Bigscreen and Unity. Bigscreen CEO and Founder Darshan Shankar said Feb. 14 the company has patched the issues. Unity recently added language to its website warning users the platform can be "used to open more than just webpages, with important security implications you must be aware of."

Baggili and his team have not performed tests to determine if vulnerabilities still exist.

"They can’t see you, they can’t hear you, but the hacker can hear and see them, like an invisible Peeping Tom. A different layer of privacy has been invaded."Ibrahim Baggili, Ph.D.

The researchers – Baggili, Elder Family Endowed Chair of Computer Science and Cybersecurity and an internationally recognized expert in cybersecurity and digital forensics; Peter Casey '19 M.S. (computer science); and Martin Vondráček, visiting graduate student from Brno University of Technology – recently uncovered the technology vulnerabilities while testing the security of VR systems through a National Science Foundation-funded project. Vondráček then wrapped up the research into a command and control tool to show the severity of the findings. For disclosure details, go to the University of New Haven Cyber Forensics Research and Education Group website

According to Bigscreen, users log up to 20-30 hours a week using the system, with some logging more than 1,000 hours. TechCrunch reported in 2017 the company had 150,000 users.

Baggili and Casey have uncovered susceptibilities in other popular virtual reality systems – including HTC Vive and Oculus Rift – revealing that hackers could alter the experience of users. Several years ago, Baggili and his team uncovered liabilities in the messaging apps WhatsApp, Viber and others that affected more than 1.5 billion users, garnering significant international media coverage.