Researchers recently revealed that virtual reality app Bigscreen has a major vulnerability that makes it possible for hackers to eavesdrop on the users of the app and listen to their conversations.
If that was not enough, it has also been demonstrated by researchers at the University of New Haven that more damage could be done to the system by running malware and indulging in phishing activity as well.
For the record, though, the CEO at Bigscreen has confirmed that the bug has since been fixed.
The other finding by the research team is that there is a vulnerability with the game development platform, Unity.
Susceptible to ‘Man-in-the-Room’ Attacks
The University of New Haven Cyber Forensics Research and Education Group is the body that conducted the research. The project was funded through the National Science Foundation.
They found that the vulnerability allowed access to anyone the intention to hack into the VR Rooms, and once in, they could listen to practically everything. The victim of this breach would not know or be able to see the hacker. It is only the voice that can be listened into.
The serious issue is the vulnerability detected by the researchers showed that once the hacker breaks into one VR device, it is feasible to seamlessly move to the other connected devices as well. This is significant because the basic model that Bigscreen adopts is that it connects people within the VR environment so that they have a shared experience, whether they are into chatting or watching a movie or connecting for other reasons.
Looking into the different situations when under a typical attack found in this vulnerability, the research team characterized it as a “Man-in-the-Room” attack.
How It Works
The University of New Haven research team created a typical setup a hacker would employ, like a Command and Control center. Hackers usually use a C&C arrangement to send out commands to the system that has been hacked into. They found that the vulnerability easily allowed access to the Bigscreen user, and from there on, gaining access to others in the connected VR group was not difficult at all.
The team has recorded that the actions possible for the hacker to perform include capturing the screen and taking over the microphone of the user. This will enable the hacker to pass on instructions to the others in the group without the victim of the attack realizing that a third person is speaking into the microphone. Going further, the hacker can even remove someone from the group.
The team has recorded that the actions possible for the hacker to perform include capturing the screen and taking over the microphone of the user.
The research team detailed their findings in a blog post, where they have listed all the threats that the vulnerability permits the hackers to perform. They also uploaded a proof-of-concept video to YouTube demonstrating how the Man-in-the-Room attack works.
The Vulnerability in Unity Similar as Well
Though the description so far has been about the Bigscreen application that is used in the VR environment, the nature of the bug found in Unity is quite similar as well.
Unity is a game development platform. The nature of the vulnerability is more or less identical.
Over to the Developers to Fix the Vulnerability
The research teams like the one that detected this vulnerability work with a genuine intention to help the developers of the vulnerable programs to know what’s wrong with their programs. When they hack into a system, they don’t misuse the opportunity and don’t harm the targeted system in any way. Research teams often create a model environment within their group and keep recording each event as it unfolds.
After sharing the details of their findings with Bigscreen and Unity, the University of New Haven researchers shared information about their responses on their blog announcement.
As per reports, Bigscreen Founder and CEO Darshan Shankar has indeed issued a statement that their company has acknowledged the work done by the research team at the University of New Haven and has released to patch to their customers for removing the vulnerability.
Unity addressed the bug by adding a cautionary note to their documentation