- A new study has revealed that researchers have uncovered a potential security vulnerability in Meta's VR headset.
- The so-called “priming attack” allows an attacker to spy on and control the user's virtual reality environment.
- Only a third of study participants noticed the glitch when their session was hacked.
Researchers have uncovered a potentially major security flaw in Meta's virtual reality headsets, according to a new study.
A team of researchers from the University of Chicago said they have discovered a way to hack Meta Quest headsets without the user's knowledge, allowing them to control the user's virtual reality environment, steal information, and even manipulate interactions between users.
The researchers called this strategy a “priming attack,” which they defined as “an attacker-controlled attack that manipulates a user’s interaction with their VR environment, by trapping the user within a single malicious VR application that masquerades as the full VR system.”
This study comes as Meta CEO Mark Zuckerberg continues to dump the Apple Vision Pro, his biggest competitor in the field. Last week, Zuckerberg said Apple's virtual reality headset was “worse in most ways.”
the Stadywhich was first reported by MIT Technology Reviewhas not yet been peer-reviewed.
In order to carry out the attack, the hackers had to be connected to the same WiFi network as the Quest user, according to the study. The headset must also be in developer mode, which researchers said many Meta Quest users keep enabled to get third-party apps, adjust resolution, and take screenshots.
From there, the researchers were able to plant malware on the headphones, allowing them to install a fake home screen that looked identical to the user's original screen, but that the researchers could control.
This duplicate home screen is essentially a simulation within a simulation.
“While the user believes they are interacting normally with various VR applications, they are actually interacting within a simulated world, where everything they see and hear is intercepted, transmitted, and possibly altered by the attacker,” the researchers wrote in the study. .
The researchers created cloned versions of the Meta Quest Browser app and the VRChat app. Once the replica of the browser app was running, the researchers were able to spy on users as they logged into sensitive accounts, such as their bank or email.
They were able to not only see what the user was doing, but also manipulate what the user was seeing.
For example, researchers described a situation in which a user transfers money. While the user is trying to transfer $1 to someone, the attacker can change the amount to $5 on the backend. Meanwhile, it still appears as $1 to the user, including on the confirmation screen, so the user is unaware of what happened.
To test the initial attack process with real people, the researchers asked 27 study participants to interact with virtual reality headsets while carrying out the attack. The study said that only a third of users noticed the flaw when their session was hijacked, and all but one user attributed it to a normal performance issue.
Meta did not immediately respond to a request for comment from Business Insider, but an MIT Technology Review spokesperson said they would review the study, adding: “We continually work with academic researchers as part of our bug bounty program and other initiatives.”
