Several models of Virtual Reality viewers, from brands such as Meta, HTC and PlayStation, present cybersecurity vulnerabilities that expose their users to privacy issues and cyber attacks when they use the voice commands.
This has been discovered by researchers from the Universidad Rutgers-New Brunswickfrom the United States, who have published their ‘Face-Mic’ study, in which they have analyzed the security features surrounding voice commands in headsets.
Due to the presence of different motion sensors on these devices, cybercriminals can detect small facial movements associated with speech to access the contents of voice commands.
Researchers have demonstrated the existence of the vulnerabilities from a attack known as ‘eavesdropping’that is, in which the attacker secretly listens to the victim.
“Face-Mic can derive sensitive information from the user’s visor from four conventional Virtual or Augmented Reality headsets, including the most popular: Oculus Quest and HTC Vive ProYingying ‘Jennifer’ Chen of Rutgers University-New Brunswick told study author.
Researchers have studied three types of vibrations that these types of devices tend to pick up, including facial movements, vibrations in the air and bone vibrations, that is, through the bones. The latter, in particular, allows knowing the user’s gender, identity and speech information.
This is an attack that affects both high-end viewers and those made of cardboard, and allows this information to leak without your permission or knowledge.
While access to audio and microphone content is often properly protected by viewer manufacturers, these bone vibrations, picked up by sensors such as the accelerometer and gyroscope, do not require the user’s permission to authorize your access.
Through these ‘eavesdropping’ techniques, attackers can learn what voice commands the victim usesor what you type in cases where the viewer has a dictation function.
This vulnerability exposes leak of sensitive information such as credit card numbers, account passwords or telephone numbers, among others. Other compromised information may be the user’s gaming preferences and purchases.
The full Rutgers University-New Brunswick study will be presented in March at the annual International Conference on Mobile Computing and Networking.
Its authors have claimed that intended to increase overall visibility into security issues of virtual reality viewers, enabling safer designs against the information revealed by bone vibrations, as well as allowing these devices to access more biometric information such as breathing and heart rate.