Meta Inc.’s $499 virtual reality headset is vulnerable to ‘Inception-style’ hacking attacks, allowing criminals to take control of the headset and steal sensitive information without the user’s knowledge, according to a study Make it.
Last week, computer science researchers at the University of Chicago published an academic paper describing how flaws in Meta Quest VR’s security system could be exploited to carry out sophisticated attacks.
The researchers created a malicious app that installed code on the VR system, making the replica home screen look identical to the original. According to MIT Technology Reviewfirst obtained the study.
Researchers have compared the attack to the plot of the hit 2010 sci-fi action thriller “Inception,” in which Leonardo DiCaprio played a thief who steals information by penetrating his victims’ subconscious minds.
Once the malicious code is installed, the hacker can see, record, and manipulate any actions you can perform using your headset.
Hackers can effectively control key functions such as voice, gestures, keystrokes, and browsing activities.
“While users think they are interacting normally with various VR applications, they are actually interacting within a simulated world where everything they see and hear can be intercepted by an attacker. , relayed, and possibly modified,” the researchers wrote in the study. .
According to the researchers, this means that a VR user chatting with a friend could have their messages intercepted and manipulated based on a hacker’s wishes, without the knowledge of either chat participant. It means.
In another example, a hacker was able to see when a user entered login credentials into a bank account. They were then able to manipulate the screen and manipulate the bank balance so that it displayed the wrong numbers.
In the experiment, a VR headset user tried to pay someone $1 through the headset, but the researchers were able to change the amount transferred, resulting in the user paying $5 without the user knowing.
Researchers said the attack could only occur if the hacker was using the same WiFi network as the target.
Headset users are vulnerable to attacks if they put their devices in “developer mode,” which allows them to download third-party apps.
Experts recommend that people purchasing headsets protect themselves by restoring their devices to factory settings and removing malicious apps.
“We always collaborate with academic researchers as part of our bug bounty program and other initiatives,” a Meta spokesperson told MIT Technology Review.
Meta’s VR headset is part of a multibillion-dollar investment in the Metaverse, a virtual three-dimensional world where avatars interact with each other.
Meta introduced the Quest 3 headset in October, but the company’s Reality Lab division, which developed the device, posted an operating loss of more than $4.6 billion in the fourth quarter of 2023.
The company said it expects Reality Labs’ losses to “significantly increase year-over-year” due to AR and VR product development and “investments to further expand our ecosystem.”
Mehta did not respond to requests for comment.
