Press Release
Day: 12 April 2019
What are the dangers of virtual reality? FIT student helped American scientists to uncover insufficient security
Man-in-the-room. This is the name of a virtual reality threat newly discovered by three members of a research team at the University of New Haven in the United States of America. One of them was a student of the Faculty of Information Technology of BUT, Martin Vondráček, who was at the Connecticut university as a part of his internship abroad. Apart from this entirely new threat, the experts also discovered a number of other deficiencies in applications allowing people to spend time with their friends or hold business negotiations in virtual reality.
The Bigscreen application allows users to connect to other people from all over the world in a virtual reality and, for example, watch a film together, sit around a virtual campfire or conduct negotiations in a non-existent meeting room. According to the data from the company, the software is used by over half a million people all around the world and, apart from being a form of entertainment, it is also quickly turning into a business tool. This was one of the reasons why the team of Ibrahim Baggili from the University of New Haven focused on the safety of virtual reality and security of the above application. Furthermore, they also examined the Unity platform.
It was because of participation in this unique project of American researchers who have decided to test the security of virtual reality that Martin Vondráček from FIT BUT came to the University of New Haven. "It is the long-term focus of Doctor Baggili's team to test new and popular applications used by a large number of people. In the past, for example, they examined the security measures used by the WhatsApp service. Recently, they took notice of the growing popularity of virtual reality applications. Users start spending up to several hours a day in virtual reality, furthermore, it no longer serves just for entertainment but also to conduct business negotiations or meetings. The use in enterprises is especially problematic in terms of security as we are talking about possible leaks of sensitive information and so on," clarified Vondráček.
Together with his colleague, Peter Casey, they were tasked with discovering possible weaknesses of the Bigscreen application and finding out ways to abuse it. "The problem is, the virtual reality application market is presently very competitive. Companies try to put new functionalities on the market as soon as possible, they do not have much time to test them," added Martin Vondráček.
But he admits that the exploitability of the application was surprising even for him. "Honestly, I was shocked. I was shocked by what we were able to find and the immense impact our findings could have. Initially, we just wanted to find out what we can learn about private communication. The first goal was to determine who interacted with whom. But then we found out we were able to learn what private rooms are running in the application. Not only that, we were able to connect to these hidden room. We were even able to access the specific computer running the application," noted the young researcher. In practice, this means that the attacker is able to access the computers of the application's users and, for example, install malware on them without the owners' knowledge.
Furthermore, the researchers have discovered an entirely new type of threat called Man-in-the-Room. They were able to gain access to private rooms and see everything that is going on inside without being seen. The researchers were able to eavesdrop on private conversations and sensitive business information while the other participants were none the wiser. "The hardest thing to grasp was that something like this was even possible. Doctor Baggili got an idea to test if it is possible to invade virtual space. We took inspiration from the Man-in-the-Middle network attack where two participants to a conversation think they communicate directly with each other but there is a third party between them who can influence the conversation," described Vondráček while also stating that figuring out how to perform the attack meant three months of continuous work. "The hardest part is the very beginning, until you come up with something. Until then, you are just testing, searching and experimenting. It is like looking for a needle in a haystack without even knowing if there is any needle in the first place," said Vondráček.
According to him, the findings are made even more serious by the fact that regular users do not have many ways to defend themselves. "We downloaded the application from the official site. This means that regular users do not have many means of defending themselves. Despite this, it is still advisable to follow the standard procedure and have all available updates, have a functional antivirus software and be cautious," concluded Vondráček.
But in the end, users may breathe a sigh of relief. The researchers approached Bigscreen and Unity with their findings and negotiated a prompt fix of the security issues. The updates should already contain new security elements. "Naturally, we cannot guarantee that the system is absolutely flawless as we did not perform another analysis after the application was updated," pointed out Martin Vondráček who is currently writing his diploma thesis on the procedure employed during the security analysis. He also co-operates with his American colleagues on a scientific article addressing the same topic. At the same time, he also contemplates enrolling in Doctoral studies during which he would like to continue in his co-operation with the University of New Haven if given the opportunity.
TRAINEESHIP ABROAD
Irreplaceable experience. That is how Martin Vondráček evaluates his traineeships abroad. Before his research stay in New Haven, he had twice the opportunity to study abroad through the Erasmus+ programme; he chose universities in Malta and South Wales. "Nothing can replace studying or working in a completely different environment from the one you are used to," said Martin Vondráček. That is why he started looking for other interesting opportunities for studies, work or research last year. "At the faculty, I got a very useful tip regarding possible co-operation with the University of New Haven. Unfortunately, the university has no official agreement with BUT but I was able to agree with them on a practical traineeship and to secure funding from the Freemovers programme at the faculty," Martin Vondráček recalled. Ultimately, he spent three months at the University of New Haven. "In addition to computer security, the research team also benefited from my expertise in the field computer networks. At the same time, I improved my network traffic analysis skills and gained valuable experience in many other areas," Martin Vondráček concludes.
Author: Kozubová Hana, Mgr.
Last modified: 2020-06-26 14:52:01