Researchers hack VR worlds

Hackers just infiltrated virtual reality (VR), enabling them to manipulate users’ immersive 3D worlds.

At the Recon cybersecurity show in Montreal, researchers Alex Radocea and Philip Pettersson demonstrated how to hack virtual reality worlds on three platforms.

  • The first was VR Chat, a virtual chat room available via online gaming platform Steam and Facebook-owned Oculus.
  • The second was Steam’s own Steam VR platform, which provides games designed for VR and also allows users to play traditional games on a giant virtual screen.
  • Finally, High Fidelity, an open source VR system with its own blockchain-based digital currency, got the hacking treatment.

Hacking an immersive VR world enables an attacker to take complete control of the victim’s virtual world, Radocea and Pettersson warned. An attacker can listen to what the victim is saying, and can also create fake images.

What kinds of real-world attacks could someone engineer in a VR world? In the hacking demonstration, the researchers opened the Calc.exe Windows program, which is a common way to demonstrate that you can run arbitrary code on a system. In most demonstrations, this would just appear on the desktop, but in this case, it replaced one of the VR users’ hands like a giant sticky note that they couldn’t get rid of.

Attackers could irritate VR users or perhaps push inappropriate images to chatroom users, and they could eavesdrop on conversations. The real dangers though are probably more traditional. Using a VR chatroom to execute remote code on a target platform is serious enough.

According to one show attendee, the researchers also opened a Meterpreter shell. Meterpreter is part of the Metasploit exploitation framework, which penetration testers use to find flaws in client systems. It’s an interactive command line shell that they can use to remotely communicate with target systems.

On the VR Chat and Steam VR platforms, the researchers figured out a way to take control of the victims’ system by inviting them into a chat room. Any user visiting a chat room would encounter the exploit, which would then infect their machines. Because joining a chatroom is so simple to do, it means that they could compromise many computers in short order. A program could automatically invite all of a compromised user’s contacts into the chatroom, creating a worm that would spread quickly, they warned.

This isn’t the first time people have successfully hacked VR systems. In February 2019, researchers at the University of New Haven discovered vulnerabilities in Bigscreen, a VR environment that allows people to club together in virtual rooms and collaborate on massive virtual screens or watch movies together. That hack enabled the researchers to gatecrash private rooms while remaining invisible in what they called a ‘man in the room’ attack. They could turn on users’ microphones and listen to private conversations, and – just as Radocea and Pettersson demonstrated – create replicating worms that infect users as soon as they enter a room. It could also download and run programs, including malware, onto users’ computers.

Radocea and Pettersson disclosed the most recent bugs responsibly and all of the vulnerable platforms put a fix in place.