A team of researchers at the University of New Haven recently uncovered an exploit that could mean a serious security threat to apps built on the Unity game engine. Bigscreen Beta, the Unity-based social VR platform that lets you stream you monitor to others and chat in virtual reality, was particularly vulnerable before being patched last week.
Bigscreen founder and CEO Darshan Shankar says the exploit was “reported to us and has been fixed already” and that it was “not exploited by hackers, and no one is currently vulnerable to this issue. It is fixed.”
The security patch was also publicly noted in the app’s most recent update log, among which included a number of new features such as real-time raytracing lighting effects, new environments, new avatars, and new user interface.
Before the vulnerability was patched in a recent Bigscreen Beta update, University of New Haven researchers were able to accomplish a dizzying list of bad deeds using their own ‘command and control’ tool in effort to not only render the platform unsafe for private conversation, but also potentially infect computers with any type of malware by using Unity’s OpenURL command.
Unity has since issued a warning to developers who use the OpenURL command in their games, saying “you must be extremely careful that you do not provide a string to this function which could possibly be maliciously crafted or modified by a 3rd party.”
The researchers say in a news update that without a user’s knowledge and consent—and even without tricking users into downloading software or granting access to the computer—they were able to:
- Turn on user microphones and listen to private conversations
- Join any VR room including private rooms
- Create a replicating worm that infects users as soon as they enter a room with other VR users
- View user computer screens in real-time
- Send messages on a user’s behalf
- Download and run programs – including malware – onto user computers
- Join users in VR while remaining invisible. This novel attack was termed as a Man-In-The-Room (MITR) attack
- Phish users into downloading fake VR drivers
“Our research shows hackers are able to monitor people day in and day out – listen to what they are saying and see how they are interacting in virtual reality,” said Dr. Ibrahim Baggili, founder and co-director of the University of New Haven Cyber Forensics Research and Education Group. “They can’t see you, they can’t hear you, but the hacker can hear and see them, like an invisible Peeping Tom. A different layer of privacy has been invaded.”
The team also created a video showing just what deleterious effects the exploit could have wrought on users if they didn’t find it and report it first.
Thankfully, what could have been a disaster for the platform’s users, which use the app both as a virtual desktop and shared viewing platform, was averted before any harm could be done.
“Working alongside security researchers and our internal security & QA practices will help us stay ahead of malicious hackers,” Shankar told Road to VR.