What are the Security and Privacy Risks of VR and AR
What is augmented reality (AR) and virtual reality (VR)?
Augmented reality (AR) and virtual reality (VR) are closely related but not the same. Augmented reality enhances or ‘augments’ the real world by adding digital elements – visual, auditory, or sensory – to a real-world view. One of the most famous examples of AR in recent years was the popular game Pokémon Go.
By contrast, rather than adding to the existing world, virtual reality creates its own cyber environment. Virtual reality is usually experienced through an interface, such as a headset or goggles, instead of watching content on a screen.
Mixed reality (MR) is similar to AR but goes further by projecting 3D digital content that is spatially aware and responsive. With MR, users can interact with and manipulate both physical and virtual items and environments – for example, a virtual ball might bounce off a real table or wall.
The umbrella term for VR, AR, and MR is extended reality (XR). The global market for XR hardware, software, and services is growing each year. But the rapid rise of these technologies has also left some consumers wondering what privacy and security issues they raise.
Augmented reality security and privacy issues
One of the biggest perceived dangers of augmented reality concerns privacy. A user’s privacy is at risk because AR technologies can see what the user is doing. AR collects a lot of information about who the user is and what they are doing – to a much greater extent than, for example, social media networks or other forms of technology. This raises concerns and questions:
- If hackers gain access to a device, the potential loss of privacy is huge.
- How do AR companies use and secure the information they have gathered from users?
- Where do companies store augmented reality data – locally on the device or in the cloud? If the information is sent to a cloud, is it encrypted?
- Do AR companies share this data with third parties? If so, how do they use it?
AR browsers facilitate the augmentation process, but the content is created and delivered by third-party vendors and applications. This raises the question of unreliability as AR is a relatively new domain, and authenticated content generation and transmission mechanisms are still evolving. Sophisticated hackers could substitute a user’s AR for one of their own, misleading people or providing false information.
Various cyber threats can make the content unreliable even if the source is authentic. These include spoofing, sniffing, and data manipulation.
Given the potential unreliability of content, augmented reality systems can be an effective tool for deceiving users as part of social engineering attacks. For example, hackers could distort users' perception of reality through fake signs or displays to lead them into performing actions that benefit the hackers.
AR hackers can embed malicious content into applications via advertising. Unsuspecting users may click on ads that lead to hostage websites or malware-infected AR servers that house unreliable visuals – undermining AR security.
Stealing network credentials
Criminals may steal network credentials off wearable devices running Android. For retailers who use augmented reality and virtual reality shopping apps, hacking could be a cyber threat. Many customers already have their card details and mobile payment solutions already recorded in their user profiles. Hackers may gain access to these and deplete accounts silently since mobile payment is such a seamless procedure.
Denial of service
Another potential AR security attack is denial of service. An example might involve users who rely on AR for work suddenly being cut off from the information stream they are receiving. This would be especially concerning for professionals using the technology to carry out tasks in critical situations, where not having access to information could have serious consequences. One example might be a surgeon suddenly losing access to vital real-time information on their AR glasses, or a driver suddenly losing sight of the road because their AR windshield turns into a black screen.
Network attackers can listen in on the communications between the AR browser and the AR provider, AR channel owners, and third-party servers. This can lead to man-in-the-middle attacks.
Hackers may gain access to a user’s augmented reality device and record their behavior and interactions in the AR environment. Later, they may threaten to release these recordings publicly unless the user pays a ransom. This could be embarrassing or distressing for individuals who do not want to see their gaming and other AR interactions made public.
One of the most significant AR security vulnerabilities for wearable AR devices is physical damage. Some wearables are more durable than others, but all devices have physical vulnerabilities. Keeping them functional and secure – for example, by not letting someone walk off with a headset that can be easily lost or stolen – is an essential aspect of safety.
Virtual reality dangers and security issues
VR security threats are slightly different from AR since VR is limited to closed environments and doesn’t involve interactions with the real physical world. Regardless, VR headsets cover the user’s entire vision, which can be dangerous if hackers take over the device. For example, they could manipulate content in ways that will cause dizziness or nausea in the user.
As with AR, privacy is a major concern with VR. A key VR privacy issue is the highly personal nature of the collected data – i.e., biometric data such as iris or retina scans, fingerprints and handprints, face geometry, and voiceprints. Examples include:
- Finger tracking: In the virtual world, a user might use hand gestures in the same way they would in the real world – for example, by using fingers to type the code on a virtual keypad. However, doing this means the system records and transmits the finger tracking data showing fingers typing a PIN. If an attacker can capture that data, they will be able to recreate a user’s PIN.
- Eye-tracking: Some VR & AR headsets may also include eye-tracking. This data could provide additional value to malicious actors. Knowing precisely what a user is looking at could reveal valuable information to an attacker – which they can capture to recreate user actions.
It is nearly impossible to anonymize VR and AR tracking data because individuals have unique patterns of movement. Using the behavioral and biological information collected in VR headsets, researchers have identified users with a very high degree of accuracy – presenting a real problem if VR systems are hacked.
Just like zip codes, IP addresses, and voiceprints, VR and AR tracking data should be considered potential 'personally identifiable information' (PII). It can be regarded as PII because other parties can use it to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information. This makes VR privacy a significant concern.
Attackers may also inject features into VR platforms designed to mislead users into giving away personal information. As with AR, this creates scope for ransomware attacks, where malicious actors sabotage platforms before asking for a ransom.
Fake identities or ‘Deepfakes ‘
Machine-learning technologies allow for manipulating voices and videos to the extent they still look like genuine footage. If a hacker can access the motion-tracking data from a VR headset, they can potentially use it to create a digital replica (sometimes known as deepfakes) and therefore undermine VR security. They could then superimpose this on someone else’s VR experience to carry out a social engineering attack.
Aside from cybersecurity, one of the biggest virtual reality dangers is that it completely blocks off a user’s visual and auditory connection to the outside world. It’s always important to evaluate the physical safety and security of the user’s environment first. This also applies to AR, where users must maintain a good awareness of their surroundings, particularly in more immersive environments.
Other problems with VR that critics sometimes describe as virtual reality negatives include:
- Potential for addition.
- Health effects – such as feeling dizzy, nauseous, or spatially unaware (after extended use of VR.)
- Loss of human connection.
Examples of AR and VR
The uses for augmented reality, virtual reality, and mixed reality are varied and expanding. They include:
- Gaming – from first-person shooters to strategy games to role-playing adventures. The most famous AR game is probably Pokémon Go.
- Professional sports – for training programs that help both professional and amateur athletes.
- Virtual travel – such as virtual trips to attractions like zoos, safari parks, art museums, etc. – without leaving home.
- Healthcare – to allow medical professionals to train, for example, using surgical simulations.
- Film and TV – for movies and shows to create enhanced experiences.
The technology is also used in more serious domains. For example, the US Army uses it to digitally enhance training missions for soldiers, while in China, the police use it to identify suspects.
Oculus privacy concerns
Oculus is one of the best-known VR headsets and one of a handful of companies that backs VR game development at a large scale. Facebook acquired the company in 2014, and in 2020, Facebook announced that Facebook logins would be required for future VR headsets. This development sparked a heated discussion about Oculus privacy.
Critics of the decision were concerned about how Facebook collects, stores, and uses data and the potential for further ad targeting plus being forced to use a service that some may not have otherwise chosen to use. The announcement led to a wave of online posts from privacy-conscious users worried about Oculus security and who claimed they would no longer use their Oculus headsets – although commentators felt that it was unlikely to hinder Oculus in the long run.
Tips: How to stay safe when using VR and AR systems
Avoid disclosing information that is too personal
Don't disclose any information that is too personal or doesn't need to be disclosed. It is one thing to set up an account with your email but don't set up your credit card unless you are explicitly purchasing something.
Review privacy policies
It is easy sometimes to skip over lengthy data privacy policies or terms and conditions. But it’s worth trying to find out how the companies behind AR and VR platforms store your data and what they do with it. For example, are they sharing your data with third parties? What kind of data are they sharing and collecting?
Use a VPN
One way to keep your identity and data private on the web is by using a VPN service. If you need to disclose sensitive information, using a VPN can protect you from having that information compromised. Advanced encryption and an altered IP address work together to keep your identity and data private. With developments in AR and VR, the VPN model will likely expand within these tech realities.
Keep firmware up to date
For your VR headsets and AR wearables, it's vital to keep firmware up to date. As well as adding new features and improving existing ones, updates help to patch security flaws.
Use comprehensive antivirus software
In general, the best way to stay safe online is by using a proactive cybersecurity solution. Such as Kaspersky Total Security which provides robust protection from various online threats. Such as, viruses, malware, ransomware, spyware, phishing, and other emerging internet security threats.