Researchers Break into Popular Virtual Reality App – Revealing VR App Vulnerabilities – and their Findings Garner Global Attention

Ibrahim Baggili, Martin Vondráček, and Peter Casey knew they were onto something big as they developed a "man in the room" attack on the Bigscreen virtual reality app.

They just didn’t know how big.

Led by Vondráček the University of the New Haven’s Cyber Forensics Research & Education Group team created a custom-designed command-and-control server. With it they could access the virtual reality app’s users and, accessing a user’s computer, become an unseen "man in the room" listening in to what the people were doing in virtual reality, watching their movements, and having an all access pass into the user’s computer system.

"Anyone using Bigscreen, it was game over for them," says Baggili, Elder Family Endowed Chair and founder of the University of New Haven’ Cyber Forensics Research & Education Group. "We didn’t have to send an email telling them we were hacking their computer. It’s not like they downloaded malicious software. They were just using their virtual reality system."

When they shared a video of their findings on the group’s website, the news went viral. Stories about it ran across the U.S., in Japan, China, Germany, and the Czech Republic.

What really got buzz, Dr. Baggili says, is that the team members were able to create a mini spying technology that allowed them to access user names and the users’ computers. "Our research revealed the ability to compromise virtual reality apps and systems and how security is not built into them," he says. "With the click of a button we could turn on their microphone and stream their computer screen back to us and see everything they were doing."

"They invented the web and then they created security for it. With virtual reality, we want to develop security at the same time."Ibrahim Baggili, Ph.D.

According to Mohit Kumar of Hacker News who covered the story, "Bigscreen is a popular VR application that describes itself as a ‘virtual living room,’ enabling friends to hang out together in virtual world, watch movies in a virtual cinema, chat in the lobby, make private rooms, collaborate on projects together, share their computer screens or control in a virtual environment." The team also found vulnerabilities in Unity, the game development platform.

Kumar wrote that Dr. Baggili, Vondráček, and Casey "responsibly reported their findings to both Bigscreen and Unity. Bigscreen acknowledged the security vulnerabilities in its "servers and streaming systems" and released the new Bigscreen Beta ‘2019 Update’ that fully patched the issues." Kumar wrote that Unity also "acknowledged the vulnerabilities."

The viral notice of their work is just one of their recent successes. With a grant from the National Science Foundation, Dr. Baggili and a team of graduate students – Casey, Ananya Yarramreddy, and Rebecca Lindsay-Decusati – discovered they could break into the HTC Vive and Oculus Rift VR systems and they could alter what happened once they got in

They devised and carried out four attacks that could control a person in virtual reality. Their findings will be published in the leading journal Institute of Electrical and Electronics Transactions on Dependable and Secure Computing. Another paper on how a computer memory can be used to recreate a virtual environment to help solve crimes was accepted by Digital Forensics Workshop.

Dr. Baggili and the student researchers are now further exploring their research into one of the earlier attacks they created – the human joystick – where the team was able to control the movements of the VR user without their knowing it. "We want to see how far we can take that," Dr. Baggili says.

One of the main goals of their research, Baggili says, is to build a security infrastructure at the same time virtual reality systems are being developed. "The developers of the internet got it wrong," he says. "They invented the web and then they created security for it. With virtual reality, we want to develop security at the same time."