VR Hack Allows ‘Inception’ Attacks, Controlling Users’ Systems

While users have not yet experienced the hack, University of Chicago researchers demonstrated its potential impacts using Meta’s VR headsets.

IoT World Today

April 3, 2024

2 Min Read
Person Wearing Virtual Reality Glasses In Metaverse

Researchers from the University of Chicago have discovered a potential vulnerability in virtual reality (VR) systems, which a hacker could use to insert an “inception layer” between a user and a virtual world, controlling their experience and “trapping” them in a malicious VR application.

The team published their findings in a paper, introducing the concept of inception attacks and detailing tests conducted on Meta Quest’s VR headsets. 

The inception attacks, named after the Leonardo DiCaprio film where characters have dreams downloaded into their psyche, are characterized by hackers controlling a user’s virtual environment by inserting a false VR layer into their system.  

Once in the false VR layer, users can then be manipulated to reveal sensitive information.

“Once trapped in an inception VR layer, all of the user's interactions with remote servers, network applications, and other VR users can be recorded or modified without their knowledge,” the team wrote. “This enables traditional attacks (recording passwords and modifying user actions in flight), as well as VR interaction attacks, where (with generative AI tools) two VR users interacting can experience two dramatically different conversations.”

To test these attacks, the team cloned a version of Meta’s Quest browser which modifies data as it’s displayed to a user and even monitors and alters audio chats between VR users. 

Related:Top Tips for Cybersecurity Tabletop Exercises and Simulations

In tests, only 37% of users noticed the visual glitch when the inception attack began and only one suspected malicious activity. 

Users have not yet reported examples of this attack but the researchers’ work shows the potentially devastating impacts such a hack could have. 

While the team said there is still time to develop counter-attacks to defend users, they warned that as VR systems grow increasingly complex, the risk of attack grows. 

“The results of our study demonstrate the initial feasibility and effectiveness of our inception attacks, which successfully deceived 26 out of 27 participants,” the team wrote. “We need more systematic approaches to defend against such attacks,

“Looking forward, we believe there is still enough time to design and implement multiple security measures to dramatically reduce both the expected proliferation of these attacks as well as the damage they inflict. But the clock is ticking.” 

Read more about:

IoT World Today

About the Author(s)

IoT World Today

IoT World Today, a sister site to DCK, connects IoT decision-makers and implementers, including those in the C-suite, IT and line-of-business managers. We inspire them by providing the latest news and analysis and case studies about technologies used in the Internet of Things, such as infrastructure, security, analytics and development tools. We capture the stories of IoT leaders imbuing intelligence across vertical industries. In addition, we are the exclusive content outlet for the IoT World trade show and conference series -- the world’s largest IoT events -- and feature advice and best practices from the subject matter experts who drive those events.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like