Virtual Reality Security

*This article was published in contribution to the new frontier of Intelligent Reality (IR). Click here to learn more about the 2022 IEEE 2nd International Conference on Intelligent Reality (ICIR).

Virtual reality, and related technologies like mixed reality and augmented reality, has received a lot of attention in both mainstream and technical media. Whether covering a new VR headset, some other type of VR device, or AR glasses, the conversation quickly gets into nuances of technology and design. Unfortunately, one topic that is rarely discussed is security.

Virtual Reality and Augmented Reality pose some unique security challenges, ranging from the usual security vulnerabilities of any electronic device, to the possibility of physical harm and the potential to leak highly personal and sensitive information. This goes well beyond the typical scope of cybersecurity and the normal work of security professionals.

This article will discuss each of these areas, and how they apply to AR/VR headsets and VR technology in general. We’ll also look at the reality of the current state of security in virtual reality and provide some suggestions and tips for good security and how to best stay safe when using virtual reality.

Security threats lurking behind virtual reality

The risks of data theft and other types of cyber attack in virtual reality are quite real. A VR headset is essentially just another type of computer or IoT device, and a VR experience is simply a software application. That means that any virtual reality system is subject to the same weaknesses as a computer, tablet or phone, or any of the IoT devices we are surrounded by. Typical cybersecurity concerns and types of cyber threat are applicable and should be anticipated. Cyber criminals are just as able to mount attacks against a virtual reality headset as any other type of computer. Such attacks can result in a data breach leading to identity theft, the stealing of personal information or network credentials, damage to hardware and software, and many other issues.

It is also important to consider that a VR headset is just one link in a chain of connected pieces. Most virtual reality headsets connect to some form of content marketplace to download software applications. Bad actors can, in principle, attack the market, an application, or the virtual reality device itself.

But Virtual Reality presents some other rather unique opportunities for the aspiring cyber criminal.

Personal information takes on a whole new meaning in cyber space. A virtual reality system has to track a user’s movements as they interact with a VR experience in order to function. However, what most users may be unaware of is that their movement is as unique as a fingerprint. If a company or bad actor were to collect and analyze that movement data, they would potentially be able to uniquely identify the user at any time, without their consent. Furthermore, a cyber criminal may also be able to use that movement data to reliably impersonate a user. And that brings us to another cyber challenge that is unique to virtual reality: identity.

By its very nature, everything in virtual reality is virtual i.e. not real. In the real world, a person has many clues they can use to determine if an environment is safe, if a person is who they claim to be, and if a situation is what it appears to be. In virtual reality, all of that can be, and is, faked. Even if the intentions are honorable, what the user experiences is not real. Imagine walking into a virtual bank and engaging in a virtual transaction. Real money is changing hands, but how can you be sure that the bank, the teller, or the transaction record are “real”? The simple answer is that you cannot be certain. This is a significant cybersecurity challenge that, to date, does not have a good solution.

In addition to the challenges of identity, both virtual reality and augmented reality provide opportunities for social manipulation and social engineering, such as distorting an AR user’s perception of reality.

Last, but certainly not least, are the types of cyber threat that can only occur when the lines between the physical world and the virtual world are blurred. While not as seemingly extreme as the attack potential of taking control of a completely autonomous truck, very real harm can be caused by a virtual reality experience. There are many examples of VR-induced motion sickness, especially with earlier generation VR headsets. This has been reduced by improved hardware. However, it is entirely possible to create a virtual experience that will trigger disorientation and nausea. It is entirely plausible that a bad actor could create a cyber threat that re-writes part of a VR experience, or otherwise plants an “easter egg”, in order to trigger nausea in the user. While Augmented Reality users are less susceptible to motion sickness, it could be used to maliciously impair a user’s focus or their awareness of the world around them.

Smartphone-based Augmented Reality is currently by far the most used form of AR, and it is how most people gain their first AR experience. Most of the available applications are for entertainment purposes. Despite this, many of them, such as SnapChat, incorporate surprisingly sophisticated AI.

However, more serious use of AR is on the rise. Industries using augmented reality include a broad range of manufacturing companies, from aerospace to automobile manufacturing, and an increasing number of service industries, from elevator maintenance to healthcare. Other growing areas include construction, oil and gas, retail and the military. Almost all are exploring the ways that AR and AI can work together to provide humans with augmented intelligence.

A related type cyber threat is the ability to embed non-appropriate experiences in an existing VR application. Imagine an experience designed for children that has an adult-level horror experience hidden in one of the otherwise innocent looking props. This may seem far-fetched or unlikely, but if there is one thing we know from the history of the internet it is that anything obnoxious or unpleasant that can be done, will be tried at some point.

How security issues in virtual reality will be addressed

At a minimum, anyone using VR technology, AR/VR headsets, or XR technology in general should follow the principles of basic cybersecurity hygiene. Whatever the type of reality you are in, augmented reality, or virtual reality, the risks are very real. Be aware that privacy risk is just as real in augmented reality and virtual reality as it is in real life. Be cognizant of the potential for identity theft, either directly or indirectly e.g. via data from motion sensors. And be cautious in sharing personal information, especially when in new environments.

Some standard tools, like a VPN, may help improve your overall security, but they may not help address some of the challenges that are more unique to virtual reality. It’s also important to be aware of the ability for AR/VR devices to distract and disorient the user.

The reality is that XR technology is an emerging area and much is currently unknown. Cybersecurity experts have started to pay more attention to virtual reality and augmented reality, but much work remains to be done.

Security principles for virtual reality

There are some essential principles and best practices for safety and security in virtual reality and augmented reality that all users should be aware of. There are also multiple groups within the field of computer science who are actively researching the security of immersive technology, which will undoubtedly lead to new guidelines and best practices. In general, it is a good idea to follow the typical cybersecurity practices that would apply to any computing device, although as already discussed, there are some unique aspects to augmented reality and virtual reality that require further consideration.

Again, it is worth reiterating that everything that is generated in virtual reality, and the artificial components in augmented reality, can be faked. The media has been full of examples of deep-fake technology. It is now easy to create highly believable audio and visual representations of people without their consent. This is especially true in the world of XR technology. Some researchers have proposed the use of blockchain technology to help address these and other related challenges unique to the virtual environment.

An integral part of any approach to cybersecurity is data privacy, especially as it relates to personal data. Multiple industry groups are actively pursuing guidelines, standards and regulation in this area.


Tips: How to stay safe when using virtual reality systems

It’s a simple fact that almost no metaverse regulations exist. It’s a rapidly evolving landscape, and like any new technology, virtual reality, augmented reality and mixed reality can be used for good or bad purposes. There are serious ethical and privacy implications implicit in the technology that have not yet been addressed in a meaningful manner.

Any individual using a VR headset and experiencing VR technology should try to follow the common sense cyber guidelines listed below. These steps can help individuals stay safe when using VR systems.

  1. Keep your device up to date and apply firmware updates and security patches as they become available.
  2. Keep your application software up to date.
  3. Consider using a VPN when online.
  4. Always use caution when installing applications from unknown sources.
  5. Be careful when disclosing personal information of any kind.
  6. Be particularly cautious in new environments.
  7. Take additional steps to verify the identity of other users you interact and share data with.
  8. Review privacy policies to understand what data is being collected and how it will be used.

Virtual reality is becoming more commonplace, and VR use is increasing. From VR game experiences, to VR training and immersive learning, new uses are continually being found. As the cost of a VR device continues to fall, virtual reality headsets will find their way into many new applications.

A classic challenge experienced with some early virtual reality systems was motion sickness. While some people do have an increased susceptibility for motion sickness that can be triggered by VR, true VR motion sickness is largely caused by a disconnect between what the user’s brain perceives and the visuals they see. For example, walking around in a 3dof VR headset will quickly induce a sense of discomfort, as will using a VR experience that has significant lag. Extreme angular acceleration coupled with a wide field of view can also trigger nausea. However, most modern virtual reality systems no longer suffer from this problem. AR technology and AR applications are far less susceptible to motion sickness as the user is always anchored in the real world. While the augmented graphics may appear to float, breaking the immersive experience, the real world continues to be perceived correctly and nausea is not triggered.

Another often overlooked danger from virtual reality is the danger of actual reality. When enjoying a VR game, it is very easy to lose your sense of position in the real world. Many minor injuries have been sustained by users playing a VR game and tripping over furniture, bumping into walls, or even accidentally smashing their TV. All of this can be avoided by ensuring you have a clear, open space within which to explore your VR experience.In conclusion, our ability to add to or replace actual reality is an exciting and rapidly growing field. But like any new territory, it is wise to be cautious and learn from the lessons of the past.


2022 IEEE 2nd International Conference on Intelligent Reality (ICIR)

 Want to learn more about Intelligent Reality? Why not register to attend IEEE's International Conference on Intelligent Reality (ICIR). The IEEE International Conference on Intelligent Reality aims at identifying the challenges and opportunities inherent in deploying intelligent tools and interactive disruptive technologies into immersive environments. It provides a forum for leading researchers, industry professionals, and standards experts to share their research findings and ideas.