@xrsidotorg

Virtual Reality Brings Real Risks

Are we Ready?

@xrsidotorg

VR immerses usersin a fully artificialdigital environment

Specs: Head Mounted Display, Heavy (GPU) Computing, Touch Controllers, Motion Sensors

What is Virtual Reality (VR)?

@xrsidotorg

What is Social VR?

@xrsidotorg

XR : Augmentedvs Virtualvs Mixed Reality

@xrsidotorg

How XRis changing our lives?

1

Slide 5

1 Explain Real Estate and Automotive.. one in light blue only.. make it clear u r choosing twoKavya Pearlman, 1/25/2020

@xrsidotorg

...and bringing new risks!

PRIVACYWth constant reality capture, how do we

ensure privacy is accounted for?

SECURITYWhat about the VR

apps getting hacked? Are third party risks

accounted for?

TRUSTIn the era of deep fakes and propaganda, how

can we be sure of individual identity in

VR?

@xrsidotorg

VIRTUAL REALITY ATTACKS

@xrsidotorg

VR Attack Surface

@xrsidotorgSource: Casey, P., Baggili, I., & Yarramreddy, A. (2019). Immersive Virtual Reality

Attacks and the Human Joystick. IEEE Transactions on Dependable and Secure Computing.

Social Networks

Web Services

Applications

SocialNetworkData

Web Service Data

Remote Application Data

Supporting Data ServicesVirtual Reality Environment

VR Attack Surface

User Data

View of the Virtual Reality headset

IKEA furniture

Samsung display

1 new email

1 unread message

Output data flowInput data flow

In-network data flow

@xrsidotorgSource: Casey, P., Baggili, I., & Yarramreddy, A. (2019). Immersive Virtual Reality

Attacks and the Human Joystick. IEEE Transactions on Dependable and Secure Computing.

Workstation VR Application

Command& Control

Chaperone, Overlay, Camera, Disorientation,

Human Joystick

Compromise

Data LeakageCamera, Position Feed

InitiateBackgroundInstance

Target Machine

ModifyConfiguration

VR Device

VR Attack Vectors

@xrsidotorg

● Look where you are exactly (Tracker Attack)

● Remove your safety boundaries (Chaperone Attack)

● Move you wherever we want (Human Joystick Attack)

● Block your vision (Overlay Attack)

Novel attacks in VR

Source: Casey, P., Baggili, I., & Yarramreddy, A. (2019). Immersive Virtual Reality Attacks and the Human Joystick. IEEE Transactions on Dependable and Secure

Computing.

@xrsidotorg

Turn on front facing cameraStream video feed back to attacker

Look inside victim’s roomEven if cam disabled by the user

Tracker Attack

Source: Casey, P., Baggili, I., & Yarramreddy, A. (2019). Immersive Virtual Reality Attacks and the Human Joystick. IEEE Transactions on Dependable and Secure

Computing.

@xrsidotorg

Chaperone Attack

Source: Casey, P., Baggili, I., & Yarramreddy, A. (2019). Immersive Virtual Reality Attacks and the Human Joystick. IEEE Transactions on Dependable and Secure

Computing.

@xrsidotorg

Human Joystick Attack

Source: Casey, P., Baggili, I., & Yarramreddy, A. (2019). Immersive Virtual Reality Attacks and the Human Joystick. IEEE Transactions on Dependable and Secure

Computing.

@xrsidotorg

New type of Ransomware?

Overlay Attack

Source: Casey, P., Baggili, I., & Yarramreddy, A. (2019). Immersive Virtual Reality Attacks and the Human Joystick. IEEE Transactions on Dependable and Secure

Computing.

@xrsidotorg

Ensure I/O including data

aggregated by system for

use by third-party

applications is properly

stored and protected

Data Protection User Interaction Protection

Users can share virtual

environments, their

interactions and information

within the VE should be

protected

Device Protection

Protecting the physical

devices and their data.

Risk Mitigation Categories

@xrsidotorg

It begins...

@xrsidotorg

● XR Bug Bounty Program● 3C Information Security Framework

for XR Enterprises.● Global Security Awareness

Campaign via STOP.THINK.CONNECT.

Our Mission: Help Build Safe Immersive Environments

XRSI - XR Safety Initiative

@xrsidotorg

3C Information Security Frameworkfor XR enterprises

To Be Released in Q2, 2020

@xrsidotorg

WHAT CAN YOU DO?

HACK Extended Reality bugbountyprogram@xrsi.org

Other Enquiries: info@xrsi.org