VR headsets vulnerable to ‘Inception attack’ hacking

Researchers at the University of Chicago successfully exploited a security vulnerability which could allow criminals to hijack users’ headsets, steal sensitive data and manipulate social interactions through AI.

Dubbed the ‘Inception attack’ after the mind-bending Christopher Nolan movie, the hack sees an attacker control and manipulate a user’s interaction with their VR environment and applications, trapping them in an ‘inception VR layer’, a malicious VR application that mimics the full VR system.

Once ‘trapped’ in the layer, all of the user’s interactions with remote servers, network applications and other VR users can be recorded or modified without their knowledge. This enables more conventional cyber attacks such as recording passwords and modifying user actions mid-activity, as well as VR interaction attacks where, with generative AI tools, two VR users interacting can experience two dramatically different conversations.

The research, titled Inception Attacks: Immersive Hijacking in Virtual Reality Systems, found that the attacks works on all Meta Quest VR headsets and demonstrated that a form of ‘Inception attack’ could include a cloned version of the Meta Quest browser that can modify data  as it’s displayed to the user, and alter user input en-route to the server, such as modifying the amount of money transferred in a banking session.

The researchers’ attempt at the attack also included a cloned VRChat app, where an attacker can eavesdrop and modify live audio between two VR users. During a study on users where the attack was attempted, only 37% of users noticed the momentary visual ‘glitch’ when the inception attack began, with all but one user attributing it to imperfections in the VR platform.

Photo credit: Victor Moussa/Shutterstock.com

Article Categories

Most Viewed