A team of computer scientists at the University of Chicago has uncovered a potential vulnerability in virtual reality systems—one that could allow a hacker to insert what the team describes as an “inception layer” between a user’s VR Home Screen and their VR User/Server. The team has posted a paper describing their work and their findings on the arXiv preprint server.

Virtual reality systems allow users to interact in a virtual world—one where virtually anything imaginable is possible. In this new effort, the research team imagined a scenario where hackers could add an app to a user’s VR headset that tricks users into behaving in ways that could reveal sensitive information to the hackers.

The idea behind the app is that it could add a layer between the user and the virtual world the user normally sees when using their VR device. They call it an inception layer, after the movie where a character played by Leonardo DiCaprio has an altered layer of reality downloaded into his brain.

In this case, such a layer, the researchers suggest, could allow hackers to record information, such as a passcode entered into a virtual ATM. It could also intercept and alter information, such as cash amounts designated for a purchase—and routing the difference to the hacker‘s bank account.

It could even add imagery to the VR world, such as characters representing friends or family and use such a ruse to gain trust or access to secrets. In short, it could monitor or alter gestures, voice emanations, browsing activity and social or business interactions.

Such an app, the research team notes, could be downloaded on a user’s VR device if they managed to hack their WiFi network, or gain physical access. And once installed, it could run without notice from the user. The researchers tested this last possibility by enlisting the assistance of 28 volunteers who played a game using a demonstration VR headset.

The researchers then downloaded an app onto the devices, simulating a hacking, and then asked the volunteers if they had noticed anything—the download and activation process caused a tiny bit of a flickering. Only 10 of the volunteers noticed and just one of them questioned whether something nefarious was occurring.

The research team notified Meta, makers of the Meta Quest VR system that was used in the experiment, of their findings, and the company responded by reporting back that they plan to look into the potential vulnerability and fix it if it is confirmed. The researchers also note that such vulnerabilities are likely to exist on other systems and other types of apps that also seek to insert themselves between users and their VR devices.

© 2024 Science X Network

“Privacy. That’s iPhone,” the slogan proclaims. New research from Aalto University begs to differ.

Study after study has shown how voluntary third-party apps erode people’s privacy. Now, for the first time, researchers at Aalto University have investigated the privacy settings of Apple’s default apps, the ones that are pretty much unavoidable on a new device, be it a computer, tablet, or mobile phone.

The researchers will present their findings in mid-May at the CHI conference, and the peer-reviewed research paper is already available online.

“We focused on apps that are an integral part of the platform and ecosystem. These apps are glued to the platform, and getting rid of them is virtually impossible,” says Associate Professor Janne Lindqvist, head of the computer science department at Aalto.

The researchers studied eight apps: Safari, Siri, Family Sharing, iMessage, FaceTime, Location Services, Find My and Touch ID. They collected all publicly available privacy-related information on these apps, from technical documentation to privacy policies and user manuals.

The fragility of the privacy protections surprised even the researchers.

“Due to the way the user interface is designed, users don’t know what is going on. For example, the user is given the option to enable or not enable Siri, Apple’s virtual assistant. But enabling only refers to whether you use Siri’s voice control. Siri collects data in the background from other apps you use, regardless of your choice, unless you understand how to go into the settings and specifically change that,” says Lindqvist.

Participants weren’t able to stop data sharing in any of the apps

In practice, protecting privacy on an Apple device requires persistent and expert clicking on each app individually. Apple’s help falls short.

“The online instructions for restricting data access are very complex and confusing, and the steps required are scattered in different places. There’s no clear direction on whether to go to the app settings, the central settings—or even both,” says Amel Bourdoucen, a doctoral researcher at Aalto.

In addition, the instructions didn’t list all the necessary steps or explain how collected data is processed.

The researchers also demonstrated these problems experimentally. They interviewed users and asked them to try changing the settings.

“It turned out that the participants weren’t able to prevent any of the apps from sharing their data with other applications or the service provider,” Bourdoucen says.

Finding and adjusting privacy settings also took a lot of time. “When making adjustments, users don’t get feedback on whether they’ve succeeded. They then get lost along the way, go backwards in the process and scroll randomly, not knowing if they’ve done enough,” Bourdoucen says.

In the end, Bourdoucen explains, the participants were able to take one or two steps in the right direction, but none succeeded in following the whole procedure to protect their privacy.

Running out of options

If preventing data sharing is difficult, what does Apple do with all that data?

It’s not possible to be sure based on public documents, but Lindqvist says it’s possible to conclude that the data will be used to train the artificial intelligence system behind Siri and to provide personalized user experiences, among other things.

Many users are used to seamless multi-device interaction, which makes it difficult to move back to a time of more limited data sharing. However, Apple could inform users much more clearly than it does today, says Lindqvist. The study lists a number of detailed suggestions to clarify privacy settings and improve guidelines.

For individual apps, Lindqvist says that the problem can be solved to some extent by opting for a third-party service. For example, some participants in the study had switched from Safari to Firefox.

Lindqvist can’t comment directly on how Google’s Android works in similar respects, as no one has yet done a similar mapping of its apps. But past research on third-party apps does not suggest that Google is any more privacy-conscious than Apple.

So what can be learned from all this—are users ultimately facing an almost impossible task?

“Unfortunately, that’s one lesson,” says Lindqvist.