A team of cybersecurity researchers from the University of New Haven has unveiled significant vulnerabilities within a popular virtual reality (VR) application known as Bigscreen. Their findings, shared exclusively with The Hacker News, highlight how these flaws could allow malicious actors to compromise users’ privacy and security during VR interactions, impacting both virtual and real-world engagements. The researchers, Ibrahim Baggili, Peter Casey, and Martin Vondráček, demonstrated the vulnerabilities via a video, illustrating how easily hackers could exploit these weaknesses.
Bigscreen is designed as a virtual living room, enabling users to socialize, watch movies, and collaborate within immersive environments. However, the underlying security issues, which remain undisclosed in technical specifics, pose a troubling risk that could be exploited through a command-and-control server. This could allow a hacker to engage in malicious activities such as hijacking VR rooms, eavesdropping on conversations, and even accessing users’ computer screens without their knowledge.
What makes this situation even more dire is a vulnerability in the Unity game development platform, which serves as the foundation for Bigscreen. By leveraging both Bigscreen’s vulnerabilities and weaknesses in the Unity Engine Scripting API, researchers demonstrated that they could potentially take full control of VR users’ systems. This could involve the silent installation of malware or executing harmful commands without the user’s confirmation.
The technical loopholes they identified are persistent cross-site scripting (XSS) vulnerabilities that exist within user input fields on the Bigscreen app. Because these input boxes lacked proper sanitation, attackers could inject malicious JavaScript code that runs upon interaction with the application. This allowed the researchers to manipulate functionalities, leading to potential phishing attacks and unauthorized access to sensitive data.
The implications extend far beyond mere data theft. The demonstrated “Man-in-the-Room” attack exemplifies how a hacker could join a VR space undetected, listening and watching as other users engage, akin to an invisible observer. The researchers pointed out that the architecture of the Bigscreen application lacks adequate integrity checks on Dynamically Loaded Libraries (DLLs), enabling alterations that conceal hacker activities through the misuse of XSS payloads.
The vulnerabilities were responsibly reported to both Bigscreen and Unity. In response, Bigscreen acknowledged the issues and implemented substantive patches through a new beta update. Unity, on the other hand, only added a cautionary note to its documentation, emphasizing that its platform could introduce significant security risks.
This case highlights critical areas of concern in the cybersecurity landscape surrounding VR technologies. The weaknesses in Bigscreen and the Unity platform underscore the urgent need for robust security measures. Utilizing the MITRE ATT&CK framework, one can identify relevant adversary tactics that may have been exploited, including initial access through insecure input fields and privilege escalation via unverified DLL processes. As VR applications proliferate, it becomes increasingly vital for developers and businesses to prioritize security in their design and implementation processes.