@xrsidotorg
Virtual Reality Brings Real Risks
Are we Ready?
@xrsidotorg
VR immerses usersin a fully artificialdigital environment
Specs: Head Mounted Display, Heavy (GPU) Computing, Touch Controllers, Motion Sensors
What is Virtual Reality (VR)?
@xrsidotorg
What is Social VR?
@xrsidotorg
XR : Augmentedvs Virtualvs Mixed Reality
@xrsidotorg
How XRis changing our lives?
1
Slide 5
1 Explain Real Estate and Automotive.. one in light blue only.. make it clear u r choosing twoKavya Pearlman, 1/25/2020
@xrsidotorg
...and bringing new risks!
PRIVACYWth constant reality capture, how do we
ensure privacy is accounted for?
SECURITYWhat about the VR
apps getting hacked? Are third party risks
accounted for?
TRUSTIn the era of deep fakes and propaganda, how
can we be sure of individual identity in
VR?
@xrsidotorg
VIRTUAL REALITY ATTACKS
@xrsidotorg
VR Attack Surface
@xrsidotorgSource: Casey, P., Baggili, I., & Yarramreddy, A. (2019). Immersive Virtual Reality
Attacks and the Human Joystick. IEEE Transactions on Dependable and Secure Computing.
Social Networks
Web Services
Applications
SocialNetworkData
Web Service Data
Remote Application Data
Supporting Data ServicesVirtual Reality Environment
VR Attack Surface
User Data
View of the Virtual Reality headset
IKEA furniture
Samsung display
1 new email
1 unread message
Output data flowInput data flow
In-network data flow
@xrsidotorgSource: Casey, P., Baggili, I., & Yarramreddy, A. (2019). Immersive Virtual Reality
Attacks and the Human Joystick. IEEE Transactions on Dependable and Secure Computing.
Workstation VR Application
Command& Control
Chaperone, Overlay, Camera, Disorientation,
Human Joystick
Compromise
Data LeakageCamera, Position Feed
InitiateBackgroundInstance
Target Machine
ModifyConfiguration
VR Device
VR Attack Vectors
@xrsidotorg
● Look where you are exactly (Tracker Attack)
● Remove your safety boundaries (Chaperone Attack)
● Move you wherever we want (Human Joystick Attack)
● Block your vision (Overlay Attack)
Novel attacks in VR
Source: Casey, P., Baggili, I., & Yarramreddy, A. (2019). Immersive Virtual Reality Attacks and the Human Joystick. IEEE Transactions on Dependable and Secure
Computing.
@xrsidotorg
Turn on front facing cameraStream video feed back to attacker
Look inside victim’s roomEven if cam disabled by the user
Tracker Attack
Source: Casey, P., Baggili, I., & Yarramreddy, A. (2019). Immersive Virtual Reality Attacks and the Human Joystick. IEEE Transactions on Dependable and Secure
Computing.
@xrsidotorg
Chaperone Attack
Source: Casey, P., Baggili, I., & Yarramreddy, A. (2019). Immersive Virtual Reality Attacks and the Human Joystick. IEEE Transactions on Dependable and Secure
Computing.
@xrsidotorg
Human Joystick Attack
Source: Casey, P., Baggili, I., & Yarramreddy, A. (2019). Immersive Virtual Reality Attacks and the Human Joystick. IEEE Transactions on Dependable and Secure
Computing.
@xrsidotorg
New type of Ransomware?
Overlay Attack
Source: Casey, P., Baggili, I., & Yarramreddy, A. (2019). Immersive Virtual Reality Attacks and the Human Joystick. IEEE Transactions on Dependable and Secure
Computing.
@xrsidotorg
Ensure I/O including data
aggregated by system for
use by third-party
applications is properly
stored and protected
Data Protection User Interaction Protection
Users can share virtual
environments, their
interactions and information
within the VE should be
protected
Device Protection
Protecting the physical
devices and their data.
Risk Mitigation Categories
@xrsidotorg
It begins...
@xrsidotorg
● XR Bug Bounty Program● 3C Information Security Framework
for XR Enterprises.● Global Security Awareness
Campaign via STOP.THINK.CONNECT.
Our Mission: Help Build Safe Immersive Environments
XRSI - XR Safety Initiative
@xrsidotorg
3C Information Security Frameworkfor XR enterprises
To Be Released in Q2, 2020
@xrsidotorg
WHAT CAN YOU DO?
HACK Extended Reality [email protected]
Other Enquiries: [email protected]