Augmented and Virtual Reality, a new field for hackers

22/05/2016 romain

Augmented and Virtual Reality, a new field for hackers

This is a follow up of my last article on virtual reality and augmented reality

In the last article I kept aside several topics: physical, medical, psychological arm and legal framework. This time, I would like to asses them to provide a holistic analysis of the cybersecurity threat.

  • Physical security. Possibility of injury due to lack of balance or walking in a wall.
  • Medical risk. Risk of eye strains due to focusing on intense lighting from close distance.
  • Psychological arm. The risk of perception disorder in the cognitive process.
  • Legal precariousness. The gap between legal framework and technology revolution. The battle of Disruption versus Precedent. This led to unreal situation, FBI vs Apple, driverless car responsibility, drone’s regulations.
  • Hack, Theft and IP ownership. Ensure the integrity and ownership of objects, assets and transactions

Physical safety and Medical risk

With a head mounted display (HMD) in VR case, the user feels immersed and loses sense of his habitat. Humans have a field of view of about 200 degrees. To create a sense of immersion, HMD needs to achieve 60 degrees or more. At this point, humans feel submerged and engaged in the Virtual Environment.

But this immersion comes with side effects. The user can feel off balance or dizzy due to the lack of natural line of horizon. He can walk into walls, furniture or worse (ongoing traffic, manhole, …).

How can we reduce this risk?

Create a merged virtual reality environment with see-through capabilities. A way to change the opacity of the VR scene depending on the user situation and create a safe experience. It would create a line of horizon to overcome lightheadedness and imbalance side effects.

Augmented and Virtual Reality article - Unsplash.com - 6-min

Medical skeleton

Could a hacker get into General Motors cars and mess with the heads up displays?

The heads up display allows the driver to have access to information related to the road. The display used is the windshield where the car and road information show up. This allow the environment and the information to merge into an augmented reality experience. Per example, once the car scans a speed limit sign on the road side, it will include it in the display. BMW has a similar technology on its series 7. The night vision with pedestrian detection recognizes human and animal in the dark. Both solutions add a level of safety and comfort to the driving experience and I consider them a part of the AR world.

Let’s imagine for a moment a hack that will change the information displayed. You drive on the road; the system scans a speed limit signal of 30 mph but shows a 50 mph limit on the heads up display. Or you drive at night on the interstate and the compromised system displays animals but not humans.

What happens when you get in an accident caused by speeding or running over someone jogging at night?

Augmented and Virtual Reality article - Unsplash.com - 5-min

Jeep Wrangler

These technologies are assistances therefore we should treat them as such. The responsibility remains with the driver. But a group of hackers proved that they could control a Jeep over the Internet. At this point, physical safety of Augmented Reality in cars is a viable concern.

Picture another scenario, this time instead AR on a heads up display we will use VR with HMD. VR could transform several industries including cybersecurity. Today when we track our clients’ infrastructure, we use a room full of screens. These screens show layers of our clients’s infrastructure and run our active monitoring tools. I picture my industry’s future when we replace the expensive monitoring room with HMD.  Using VR and HMD, the monitoring environment could change according to the situation.

But this scenario could fail in the same way as the car heads up display. A hacking group, aware that we are monitoring their target, could hit us before by injecting a virus in our VR monitoring environment. This to mask abnormal readings during their upcoming attack.

This could be the birth of antivirus for IoT, cars, HMD, heads up display and more.

Let’s put aside the addiction aspect of escaping reality using virtual environment. Every time I tried a head mounted display, I felt an eye strain after just a few minutes of usage. Also the weight of the device is tiring for my neck and shoulders. The intense lighting on close displays is hard for my eyes to focus on. Besides, I would like to be able to wear glasses while wearing HMD to reduce the eye strains.

My concern is seeing the rise of physical attack vectors using sensory overload. Creating GIF images flashing lights at certain frequencies to create epileptic seizure. Could a malware insert frames into the HMD display to affect your behaviors? A subliminal priming using some visual stimuli.

Here is the root for another security product. The same way industrial screens need calibration to ensure colors authenticity. A screen security sensor to detect inserted frames, lights frequency and other harmful.

Legal framework – Disruption vs. Precedent

Technology has always, by its nature, disrupted the law. AirBnB, Uber, personal drones, blood testing technologies being a few recent examples.

Without putting the concept of precedent in jeopardy,I am not sure the idea of using an earlier event as guidance to act in similar situation can work on technologies. Also lobbying is not the solution. Silicon Valley has a history of pushing their visions and interests forward.

Assuming the legal model will always be a step behind technology. Is it time to reconsider the legal structure around the disruptive tech model?

Montesquieu wrote ‘The spirit of the laws’ where he defines three main political systems. He describes the principles that motivate individuals in each political system.

In a similar spirit, why wait for an international legal framework for VR environment. Could we agree on a manifesto everyone will be accountable to?

We could use natural laws as inspiration for these Virtual Reality laws. Thus the moral/ethic rules of real life must be applied onto the VR counterpart.

I would favor the creation of a task force composed of technologists, MBA’s and legal experts. Their goal would be to suggest legal framework to fit theses upcoming business models and tech.

Meanwhile, what are our options to decide what is right and what is wrong. We can rely on the Terms and Conditions of any given solution provider. But then what happens when a private company creates a virtual world regulated by its own set of laws.
Corporations will have to choose between Monarchism and Despotism. Between the love of honor and the fear of the ruler.

Augmented and Virtual Reality article - Unsplash.com - 2-min

One key point I would like to address on the legal and Virtual Reality subject is IP and assets ownership. Can we create a universal way to ensure the integrity of someone belongings?

This means protecting the assets from corruption or theft.

The use of block chains to exchange currencies is trendy for the past 3 years. To protect ourselves from IP and assets theft we can create a distributed ledger using block chains. Therefore, any transactions would inherit the benefits of Bitcoins currency. In addition to a universal ledger, every object, commodity, property could carry its own proven checksum. In case of alteration, the checksum being incoherent, a procedure of restoration would start.

Google trends of the word "Block chain"

Google trends of the word “Block chain”

Impersonation

The need to create an avatar or virtual identity goes hand in hand with the need to secure these identities. During any transactions, the need for authenticated parties is essential. You can’t imagine exchanging personal information nor buying goods from an unconfirmed entity. Creating an avatar that includes your biometrics is crucial. An avatar that would represent you for all your VR activities, gaming, educational, traveling.

VR will become a new vector for social engineering.

But this raises a new concern, the safety of your avatar. In June 2015, the OPM (US Office of Personnel Management) was the target of a data breach. The breach included individual information, fingerprints, date of birth, age, race and much more. Biometrics experts say that because of the leak, secret agents will no longer be safe. Their stealth and cover persona vanished as they cannot change their fingerprint.

Augmented and Virtual Reality article - Unsplash.com - 4-min

Privacy

To produce an immersive experience, the VR/AR device’s sensors needs to collect environmental data . This data is diverse, GPS, accelerometer, temperature, video and audio feeds.

After the Ashley Madison data breach, concern about personal information increased in general population. In an “anonymous” dating app relying on HMD gears, how can we ensure someone’s privacy. At this point, it is not only a set of username and password that could end up online. But the entire environmental meta data of the users of the service. Nothing would stop a stalker from walking to your door using your GPS data.

Augmented and Virtual Reality article - Unsplash.com - 1-min

 

, , , , , , , ,

romain

Romain Tordo is an Infrastructure Architect and Cybersecurity Expert. He founded his IT consultancy firm in Dubai. Romain has 7 years experience as CIO and CTO for two multinationals. Prior to that, he was Head of R&D for a startup in France. Romain works closely with several non-profit organization as mentor, advisor or founder – Emirates Foundation, Jusoor Syria and Coins Cause Change More information about his firm can be found on romaintordo.com or his profile on linkedin.com