Cybersecurity and Forensics Work Makes National Impact
University of New Haven faculty and students have produced groundbreaking research on the vulnerabilities of virtual reality.
November 30, 2018
By Jackie Hennessey, contributing writer
Imagine you’ve got your virtual reality headset on; you’re playing a game and suddenly you are no longer controlling it – a hacker is. Or the hacker has taken hold of the VR camera and can see into the room where you are playing or found a way to take down the "chaperones" or virtual protections that keep you from bumping into a wall.
Just as cybercriminals are at work on the Internet and the Internet of Things (IoT), gaining access to networks through connected smart devices, the worlds of virtual reality (VR), augmented reality (AR) and mixed reality (MR) are also extremely vulnerable to attack, says Ibrahim (Abe) Baggili, Elder Family Endowed Chair. Baggili and a team of graduate students are doing groundbreaking work in VR, AR and MR cybersecurity and forensics at the University of the New Haven’ Cyber Forensics Research & Education Group/Lab.
With a grant from the National Science Foundation, the team discovered they could break into virtual reality systems – the HTC Vive and Oculus Rift – and they could alter what happened once they got in.
"Being able to analyze these virtual environments can help solve future crimes that may occur in them."Ibrahim (Abe) Baggili
Baggili, Peter Casey, the technical lead on the project, and Ananya Yarramreddy published their findings and presented them at the Systematic Approaches to Digital Forensics Engineering workshop at the Institute of Electrical and Electronics Engineers IEEE Symposium on Security and Privacy in San Francisco in September. A second paper is under peer review.
"Unlike many other Computer Science related projects, MR research has a physical component," Casey said. "Because MR users entrust their safety to these devices, the stakes are higher." The team found that "immersion amplifies the consequences of cyber bullying and sexual harassment, where the misconduct `feels all too real.’"
In the study presented, they examined Bigscreen, Altspace VR, Rec Room and Facebook Spaces and focused on "the two most widely adopted consumer VR systems: the HTC Vive and the Oculus Rift." "These applications represent the future of social networking, as people can see each other’s avatars and interact with one another in VR," Baggili said. "Being able to analyze these virtual environments can help solve future crimes that may occur in them."
In another project, Casey said, "we just wanted to see if the participants would respond to our attacks. In doing so, we ended up opening up more questions about what is possible and what factors are at play when manipulating someone in virtual reality."
The team "tried to put ourselves in the shoes of hacker," Yarramreddy said. Their findings are garnering a great deal of attention in the press and the team’s research will be featured in an upcoming documentary on Canada’s Discovery Channel.
Baggili was inspired to do the research because he wanted to teach a course on VR cybersecurity and "there was very little research out there." If hackers could control wreak havoc on a smart car, a water system or an electric grid, Baggili wondered what could they do to people who are fully immersed in virtual reality?
Focusing on the HTC VIVE, the team devised and carried out four attacks and named them:
overlay: The team was able to overlay the image the user was seeing, blocking it or replacing it with another image.
disorientation: The team was able to disrupt movement and cause the VR user to feel dizzy or disoriented while wearing the VR headset.
chaperone: When someone is playing a game in VR, they first outline the room they are in and when they go near an actual wall, a chaperone or virtual wall goes up on the screen and the team found they could alter or remove the chaperone all together.
human joystick: The team controlled movements of the VR user without their knowing it.
This fall they plan to research an AR system, Microsoft’s Hololens, "which is a bit different from the tethered immersive VR systems," said Rebecca Lindsay-Decusati, a computer science graduate student, who joined the team last spring.
"With virtual reality, we want to develop security at the same time."Ibrahim (Abe) Baggili
In a 2017 piece in Forbes, Paul Lamkin reported that International Data Corporation predicted 81.2 million headsets would ship in 2021, up from 13 million in 2017, "representing an annual growth rate of 56.1 percent." Earlier this year Fast Company ran a tech forecast piece that explored "Why 2018 Will Be the Year of VR 2.0" focusing on the arrival of "standalone virtual reality systems."
With that expected growth, the time for this research is now, Lindsay-Decusati said.
Baggili is quick to point out that VR, MR and AR have very positive uses in education, in business, in the military and in the area of psychology. According to Psychology Today, dozens of studies have been done focusing on using VR "to treat anxiety disorders and particularly phobias, social anxiety, and PTSD. The results have been encouraging—VR is a proven means of delivering rapid, lasting improvements."
Making the world of virtual reality safe is key, Baggili said. "The developers of the internet got it wrong," he said. "They invented the web and then they created security for it. With virtual reality, we want to develop security at the same time."