Publication Details
Rise of Immersive Virtual Reality Malware and the Man-in-the-Room Attack
Virtual Reality, Mixed Reality, VR Privacy,Security Analysis, Network Traffic Analysis, Penetration Testing,Reverse Engineering, Application Patching, Forensic Analysis,Responsible Disclosure, Bigscreen, Unity, Static Analysis Security Testing, Obfuscation, Deobfuscation, CodeQL
In this work we present a primary account of the first Virtual Reality (VR) Worm & Botnet, and VR Man-in-the-Room (MitR) attack. We explore the applicability of old attacks in a new technological medium and the severity of the impact of these new attacks. We define abstract and formal foundations of VR Worms and MitR attacks against VR applications & platforms. We then devise our Proof of Concept (PoC) in the context of a widely used VR social application - Bigscreen. Unsurprisingly, our results illustrated a lack of security posture in the tested application, but more importantly, the novelty of the work is grounded in the severity impact of the malicious abuse of Immersive Virtual Reality, and the uniqueness of being virtually in the presence of others without their knowledge or consent. We share demonstrative attacking tools and used exploits. But we also focus on prevention, as we implement and publish a series of analytical tools, vulnerability signatures, and a dataset. Our work should inspire technical solutions to improve the state-of-the-art in VR security, socio-technical research in VR, and raise questions in the law and policy domains pertaining to VR security and privacy.
@inproceedings{BUT168505,
author="VONDRÁČEK, M. and BAGGILI, I. and CASEY, P.",
title="Rise of Immersive Virtual Reality Malware and the Man-in-the-Room Attack",
booktitle="IEEE Symposium on Security and Privacy (S&P)",
year="2021",
pages="17",
publisher="IEEE Computer Society",
address="San Francisco, CA",
isbn="978-1-5386-6660-9",
url="https://www.fit.vut.cz/research/publication/12406/"
}