To answer simply, AR and VR pose little risk today, and likely will post little risk for the next five years. However, these technologies could become seriously dangerous in the next decade. Let’s explore why.
Little new attack surface
Today’s VR and AR technology offers little new attack surface since they are built upon existing platforms. At the highest level, AR and VR are mostly just new display and input mechanisms added to pre-existing devices. The underlying computers that power the technology—whether they be PCs, consoles, or mobile devices—haven’t really changed much. AR/VR tracking software doesn’t really need to connect to the Internet and doesn’t pose any greater risk than any other software you might add your computer; perhaps even less risk than your average network connected game.
No valuable data
Another way VR/AR could increase your risk profile is by collecting new data that makes you a more valuable target. VR/AR technology does tracks the motion of your head (and sometimes your hands), but this data is of little criminal use to an attacker. Other data that VR/AR system track, like voice and video, have risks of their own, but these aren’t unique to VR/AR – people have shared voice and video data online for years.
Current motion tracking data is relatively low fidelity and won’t provide much to an attacker or criminal. For instance, VR motion tracking is pretty accurate, but the criminal value of knowing where your head or hands are positioned is negligible.
Currently no way to monetize a VR attack
Even with these drawbacks, attacks would still target VR/AR if they could find some way to monetize their attacks, such as through social engineering. The problem is, there is little money in how most early adopters use AR/VR today.
VR is the more commonly used for gaming, and gamers already expect to be in a fantasy world that they know is disconnected from reality, so there is little opportunity for attackers to alter VR for social engineering.
On the other hand, real AR today exists in the form of experimental, non-consumer products like Google Glass and Hololens, and novelty uses like Pokemon Go. Until AR becomes such a ubiquitous tool that we use it in our everyday life, we won’t trust it enough to be tricked if an attacker alters what it shows us. In short, AR/VR doesn’t provide a rich enough target for attackers to go after… yet.
Safe present, potentially grim future
So far, I’ve painted a relatively safe picture for AR/VR that will likely hold true for the next five years or so. However, as these technologies improve and become more commonplace, they will pose a bigger danger—especially AR. Here are some examples of what VR/AR hacks of the future might look like:
1. Finer tracking data allows for more dangerous hacks
Imagine the future of online shopping. This could become an entirely VR experience, where you literally browse a virtual store front, interact with items, and perhaps even try them on your avatar. Of course, the program you use for this knows your credit or debit card, so when you purchase the item for shipment, it would send the information. However, for added security, online shops could make your avatar virtually enter some sort of pin or code to verify your debit or credit use. In the virtual world, you might do this like you do in the real world, by using your fingers to type the code in a virtual key pad (in the air from your perspective). However, doing this means your system must record and transmit the fine finger tracking data showing you fingers type the pin. If an attacker can capture that data, they have all they need to recreate your pin (and they would presumably have some way to capture your card’s digital data too.
The future of AR/VR headsets may also include eye tracking, for a variety of reasons (one being to render your virtual world from the proper perspective). This eye tracking data could provide additional value to malicious actors. Knowing exactly what you are looking at could reveal valuable information to an attacker. For instance, if you were in an online shop, your eye tracking data shows what you are most interested it. Marketers are already using web coding tricks to monitor your mouse movement and click to figure out your buying habits and interests. Attackers that capture that data could recreate things you do, in the same way as the manual pin entry I mentioned above.
2. Warping augmented reality
In the future, we may wear some sort of AR device that overlays a digital heads up display (HUD) onto our real life at all times. We could use our hands to gesture and pin our computer screens and browser windows to various walls in the real world. Virtual speed limit signs could pop up to warn us we are driving too fast. Contact information could remind us things about the acquaintance we’re meeting (or even info about those we are meeting for the first time). We could even get instant calorie information when we handle food items in a grocery store. As we become more used to using AR every day, this information will seem more like reality, causing us to trust it more. But if an attacker can hack our AR device, it presents a huge opportunity for them to poison this information and get us into trouble.
For instance, what if an attacker wanted to hurt you. Imagine you’re driving in an unfamiliar town. Unbeknownst to you, you are approaching a tight turn on the freeway. The turn has a physical speed limit warning signs telling you to drop speed to “25mph,” due to the corner. If an attacker could gain control of your AR system, they could overlay those 25mph signs with “60mph,” putting you in a dangerous situation where you enter a corner far too fast.
And that’s just the start of what they could do if humanity becomes “programmed” to trust their AR HUD. Frankly, once AR becomes advanced enough to overlay anything we see with real-time CGI, and we use AR so ubiquitously that it becomes a second-nature, trusted “sense,” there is no limit to how hackers might alter our realities.
3. Your perfect digital VR clone
The ideal future of VR depends on a few things. First is full body digital tracking, where literally every movement of every appendage is tracked very finely, and recreated in digital space. Second, is the perfect digital avatar. In the future, the cameras or devices tracking us, will create quick maps of our physical 3D space, apply our texture to that model, and make a perfect replica in a virtual world. This might sound like sci-fi, but is closer than you might imagine.
However, imaging the social engineering possibilities if malicious actors got a hold of your 3D model, and a history of all your movements in VR. Animators and computer scientists have already created many methods to make a person sound like they said something they didn’t, based previous recordings of their voice. They can even alter the video of a person, to make them have different expressions and lip movements. In fact, you can see a scary example of this on a site created by NPR’s Radio Lab.
While these fake videos haven’t been perfected yet, imagine how VR tracking data and accurate 3D models could change things. One of the unique identifiers of an individual is their unique movements and verbal or physical “ticks.” If compromised, these personal intricacies could allow hackers to socially engineer your friends, or convince anyone they were you.
Conclusion
You really shouldn’t worry about the security of AR/VR much today. Most people are only using these technologies for entertainment, and they don’t introduce much new data or attack surface. The worst VR risk today is making you unaware of your real physical surroundings. However, as these technologies mature, you should expect criminals to target them. I look forward to us realizing AR and VR’s full potential, but we should head into this future with our defenses up.
from Help Net Security http://ift.tt/2xNRB91
No comments:
Post a Comment