Home » Meta Quest: Hack attack like in the movie “Inception” exposes all data

Meta Quest: Hack attack like in the movie “Inception” exposes all data

by admin
Meta Quest: Hack attack like in the movie “Inception” exposes all data

In Christoper Nolan’s famous film “Inception”, the hero, played by Leonardo DiCaprio, penetrates his target’s dreams to steal information from their brain and insert false memories into their subconscious. A new attack on virtual reality headsets from Meta works in a similar manner. University of Chicago researchers have demonstrated a security flaw in the company’s Quest VR system that could allow cybercriminals to hijack the devices, steal sensitive information and – using generative AI – even manipulate social interactions. The attack has not yet been used in the wild and the hurdles to implementing it are relatively high, as an attacker would have to gain access to the Quest user’s WiFi. However, the method is extremely sophisticated and shows what such futuristic crimes could look like in the future.


In the “Inception Attack,” the attackers first create an app that injects malicious code into the Meta-Quest operating system and then launches a clone of the VR system’s home screen and apps that are no different from the originals. Once the attackers have penetrated the system, they can see, record and modify everything the person does with the headset. This includes the user’s voice input, gestures, keystrokes, browsing activities, and even social interactions. The attacker can even change the content of a user’s messages to other people. The research, which was made available exclusively to the US edition of MIT Technology Review, has yet to undergo peer review. A spokesperson for Meta said the company plans to “review” the study. It regularly works with security researchers as part of its bug bounty program “and other initiatives”.

See also  Bank card hacking puts three people in the grip of security forces in Rachidia

While VR headsets are becoming increasingly popular, safety research in this area has clearly lagged behind product development. Protective measures, especially in the popular Meta models, still seem to be inadequate; the more expensive Vision Pro from Apple does not even pass on certain sensitive data to apps. Additionally, the immersive nature of virtual reality could make it difficult for people to realize that they have fallen into such a trap. “The shocking thing is how fragile today’s VR systems are,” says Heather Zheng, a professor of computer science at the University of Chicago who led the “Inception Attack” study.

Their attack (on the Meta Quest 2, 3 and Pro) exploits a kind of backdoor in the Quest VR system: users must activate the so-called developer mode in order to download third-party apps, adjust the resolution of the headset or take screenshots of content. Developer mode allows remote access for debugging purposes. However, this access can be abused by malicious actors to see how a user’s home screen is designed and what apps are installed. With this information, the attacker can replicate the victim’s home screen and applications. Alternatively, attacks are also possible if criminals have physical access to the headset or users download apps that contain malware.

After injecting the “Inception Attack”, the attack activates as soon as unsuspecting users exit an application and return to the home screen. The attack also captures the user’s image content and microphone recording, which can be livestreamed back to the attacker. This allowed researchers to see when a user entered their login details for an online banking website.

See also  Five TV series not to miss in November: the final season of The Crown arrives

Then they were even able to manipulate the user’s screen to display a false account balance. When the user tried to transfer one US dollar to someone using the headset, the researchers were able to increase the transferred amount to five dollars without the user noticing. This is because the attacker can control both what the user sees in the system and what the device sends to the Internet.

The online banking example is particularly striking, says Jiasi Chen, an associate professor of computer science at the University of Michigan who researches VR. The attack could also likely be combined with other malicious tactics, such as: B. by tricking people into clicking on suspicious links. There is also manipulation of social interactions: the security researchers also cloned Meta Quest’s VRChat app, which allows users to communicate with each other via their avatars. They were then able to intercept users’ messages and modify or respond at will.

Generative AI could make this threat even worse. Because it now allows anyone to clone people’s voices and create visual fakes that could then be used by malicious actors to trick people in their VR interactions. To test how easily people can be fooled by the “inception attack,” Zheng’s team also recruited 27 volunteers, all VR users with long experience.

Participants were asked to explore applications such as the VR game “Beat Saber,” in which players control lightsabers and try to destroy music beats flying at them. They were told that the study aimed to explore their experiences with VR applications. Without their knowledge, the researchers launched the attack on the volunteers’ headsets.

See also  Will it still be worth investing in cryptocurrencies in 2023?

The vast majority of participants did not suspect anything. Out of 27 people, only 10 noticed a small “glitch” when the attack began, but most of them dismissed it as a normal delay in the network. Only one person reported any suspicious activity.

A basic problem emerges: When you enter virtual reality, there is no way to authenticate what you see. The immersiveness of the technology makes people trust it more, says Zheng. This means that such attacks could be particularly effective, says Franzi Roesner, associate professor of computer science at the University of Washington, who deals with the topics of security and data protection on the Internet.

The best defense so far, Zheng’s team found, is simply restoring the headset to its factory settings to remove the attacker app. The “Inception Attack” offers attackers many different ways to break into the Quest VR system and deceive people, says Ben Zhao, professor of computer science at the University of Chicago, who was part of the research team. After all, the spread of the technology is still relatively limited. “Accordingly, there is still time to develop more robust protective measures,” said Zhao.


To home page

You may also like

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy