What are the security and privacy risks of AR and VR?
Augmented reality (AR) and virtual reality (VR) are closely related, but they are not the same. Augmented reality enhances or “amplifies” the real world by adding digital elements (visually, aurally, or sensorially) to a view of the real world. One of the most famous examples of AR in recent years is the popular game Pokémon Go.
In contrast, instead of adding to the existing world, virtual reality creates its own cyber environment. VR is often experienced through an interface, such as a headset or goggles, rather than watching content on a screen.
Mixed reality (MR) is similar to AR but goes much further by projecting 3D digital content, which responds to stimuli and space. With MRI, users can interact with and manipulate physical and virtual elements and environments; for example, a virtual ball could bounce off a real table or wall.
The universal term that covers VR, AR, and MR corresponds to extended reality (RE). The global market for RE hardware, software, and services is growing every year. However, the rapid rise of these technologies has caused some consumers to wonder what privacy and security issues they might present.
Privacy and security issues in augmented reality
AR concerns
One of the biggest perceived dangers in augmented reality relates to privacy. A user’s privacy is at risk because AR technologies can see what the user is doing. AR collects a lot of information about who the user is and what they are doing, and at an even higher level than, say, social media and other forms of technology. This gives rise to several concerns and questions:
- If hackers gain access to a device, the potential loss of privacy is enormous.
- How do AR companies use and protect the information they have collected from users?
- Where do companies store augmented reality data? Locally on the device or in the cloud? If the information is sent to the cloud, is it encrypted?
- Do RA companies share this data with third parties? If so, how do they use them?
unreliable content
AR browsers make the scaling process easy; however, content creation and delivery are left to third-party providers and applications. This raises a question about the lack of trust since AR is a relatively new domain and the mechanisms for generating and transmitting authenticated content continue to evolve. Sophisticated hackers might substitute a user’s AR with their own, in order to mislead people or provide false information.
Various cyber threats can make content untrustworthy, even if the source is authentic. These include impersonation, espionage, and data manipulation.
Social engineering
Due to the potential for content to be unreliable, augmented reality systems can be an effective tool to deceive users as part of social engineering attacks. For example, hackers could distort users’ perception of reality through false signals or screens to guide them to take actions that benefit hackers.
malware
AR hackers can embed malicious content into apps using advertising. Users may unknowingly click on advertisements that lead to hijacked websites or malware (infected AR servers hosting unreliable images), which weakens AR security.
Theft of network credentials
Criminals can steal the network credentials of portable devices running Android. Hacking could be a cyber threat for retailers using augmented reality and virtual reality shopping stores. Most customers already have credit card details and mobile payment solutions recorded in their user profiles. Hackers can gain access to these profiles and drain accounts silently since mobile payment is a quick process.
denial of service
Another potential attack on RA security is a denial of service. For example, let’s say users who rely on AR for work suddenly lose access to the stream of information they were receiving. This would be especially worrying in the case of professionals who use technology to perform tasks in critical situations; Not having access to such information could have serious consequences. An example might be a surgeon who suddenly loses access to vital real-time data in their AR glasses or a driver who suddenly cannot see the road due to the AR windshield turning to a black screen.
man-in-the-middle attacks
Attackers on a network can listen in on communications between the AR browser and the AR provider, AR channel owners, and third-party servers. This can lead to man-in-the-middle attacks.
Ransomware
Hackers can gain access to a user’s augmented reality device and record their behaviors and interactions in the AR environment. They may then threaten to publish these recordings unless the user pays a bounty. This could be embarrassing or distressing for people who don’t want their games or other AR interactions to be public.
Physical damages
One of the most important AR security vulnerabilities for portable AR devices is physical damage. Some portable devices are more rugged than others, but all have physical vulnerabilities. Maintaining the functionality and security of these devices (for example, not letting someone walk away with a helmet that can be easily lost or stolen) is an essential security aspect.
Virtual Reality Dangers and Safety Issues
Security threats in VR are a bit different than in AR since VR is limited to closed environments and does not involve interactions with the real physical world. However, VR headsets cover the entire vision of the user, which can be dangerous if hackers take control of the device. For example, they could manipulate the content in a way that makes the user dizzy or nauseated.
VR Concerns
As with AR, privacy is a primary concern in VR. A key privacy issue in VR is the highly personal nature of the data collected: for example, biometric data such as iris or retina scans, fingerprints and handprints, facial geometry, and voiceprints. Some examples are included:
- Finger Tracking: In the virtual world, a user can use hand gestures in the same way as they would in the real world; for example, using their fingers to type a code on a virtual keyboard. However, this means that the system records and transmits finger-tracking data, which shows fingers entering a PIN key. If an attacker can capture that data, he will be able to recreate a user’s PIN.
- Eye Tracking – Some VR and AR headsets may also include eye tracking. This data could be very valuable to malicious entities. Knowing precisely what a user is viewing could reveal valuable information to an attacker, which they can capture to recreate the user’s actions.
It is nearly impossible to anonymize VR and AR tracking data, as individuals have unique movement patterns. Using the behavioral and biological information collected in VR headsets, researchers have been able to identify users with a high degree of accuracy, which is a big problem if VR systems are hacked.
Like zip codes, IP addresses, and voice logs, VR and RA tracking data should be considered potential “personally identifiable information” (PII). It can be considered PII because it can be used by others to distinguish or trace an individual’s identity, either alone or in combination, or other personally identifiable information. This makes VR privacy a significant concern.
Ransomware
Attackers could also inject VR platforms with features designed to trick users into handing over personal information. Similar to AR, this opens the door to ransomware attacks in which malicious entities sabotage platforms and then demand ransom.
False or “ultrafake” identities
Machine learning technologies allow voices and videos to be manipulated to such a degree that they look just like authentic recordings. If a hacker can access motion tracking data from a VR headset, they may be able to use it to create a digital replica (sometimes known as a deep fake), which weakens VR security. That hacker can then overlay this element on someone else’s VR experience to perform a social engineering attack.
In addition to cybersecurity, one of the biggest dangers of virtual reality is that it completely blocks the user’s visual and auditory connection to the outside world. It is always important to first assess the physical security of the user’s environment. This also applies to AR, as users need to maintain a good awareness of their surroundings, especially in more immersive environments.
Other issues with VR that reviewers describe as negative include the following:
- Potential addiction.
- Health effects: such as dizziness, nausea, or spatial disconnection (after extended use of VR).
- Loss of human connection.
Examples of AR and VR
The uses for augmented reality, virtual reality, and mixed reality are varied and expanding. Those uses include the following:
- Games – From first-person shooters to strategy games and RPG adventures. Probably the most famous AR game is Pokémon Go.
- Professional Sports – For training programs that help professional and amateur athletes.
- Virtual Tour – Like virtual tours to attractions like zoos, safari parks, art museums, etc., without leaving your home.
- Health: to allow professional doctors to train; for example, using surgery simulations.
- Movies and TV – So movies and shows can create enhanced experiences.
The technology is also used in more serious spheres. For example, the United States Army uses it to digitally enhance soldiers’ training missions, while China’s police use it to identify suspects.
Oculus privacy concerns
Oculus is one of the best-known VR headsets and one of the few companies supporting large-scale VR game development. Facebook acquired the company in 2014 and, in 2020, announced that logging into Facebook will be a requirement for future VR headsets. This novelty generated an intense debate about the privacy of Oculus.
Critics of the decision had concerns about how Facebook collects, stores, and uses data, along with the potential to be targeted by more advertising. Add to that the fact that they are forced to use a service that they otherwise would not have chosen to use. The announcement sparked a flurry of posts online from privacy-savvy users raising concerns about Oculus’ security and saying they would no longer use their Oculus headsets, though several commenters felt this was not going to work. to affect Oculus in the long term.
Tips: How to stay safe when using VR and AR systems
Avoid revealing information that is highly personal
Do not reveal information that is highly personal or does not need to be disclosed. Setting up an account with your email is fine, but don’t enter your credit card unless you’re explicitly buying something.
Review the privacy policies
Sometimes it’s easy to skip over the large amounts of text in data privacy policies or terms and conditions. However, it’s worth finding out how the companies behind the AR and VR platforms store your data and what they do with that information. For example, do they share your data with third parties? What kind of data do they share and collect?
Use a VPN
One way to keep your identity and data private on the Internet is by using a VPN service. If you need to reveal sensitive information, using a VPN can prevent that information from being compromised. The combination of advanced encryption and a tampered IP address keeps your identity and data private. Due to advances in AR and VR, it is very likely that the VPN model will expand within these technological realities.
Keep firmware up to date
For your VR headsets and AR handhelds, it’s important to keep the firmware up to date. In addition to adding new features and improving existing ones, updates help fix security flaws.
Use full antivirus software
In general, the best way to stay safe online is to use a proactive cybersecurity solution. A solution like Kaspersky Total Security provides strong security against various online threats. These threats include viruses, malware, ransomware, spyware, phishing, and other emerging Internet security threats.