Martin Vondráček, a student of the Faculty of Information Technology at Brno University of Technology, had already dealt with online security in his bachelor thesis in which he developed a tool to improve the security of home Wi-Fi networks by automatically detecting their weak spots. During his master’s studies, he took an opportunity to study at the University of New Haven in Connecticut, USA, and made the most of it.
Imperfections of modern technologies
During his three-month stay in the team of Ibrahim Baggili, he dealt with the security of virtual reality and Bigscreen. This app is used to protect the security of meetings that range from a virtual campfire to business negotiations in a non-existent conference room containing 500 thousand people all over the world: “For a long time, Dr. Baggili’s team has been focusing on new, popular apps used by a great number of people, and it’s investigated the security of the WhatsApp service as well. Recently, they’ve noticed that virtual reality apps have been growing in popularity, as their users spend up to several hours a day there,” says Vondráček on the work of his manager.
“Virtual reality looks like something new and pretty cool, but the truth is that it’s still a type of computer software and looking for defects in its security is very similar to other computer programs. Some weak spots we’ve discovered aren’t unique to virtual reality but have been emerging in other programs for several years now,” explains Vondráček.
According to Vondráček, the virtual reality market is currently so competitive that some companies are launching insufficiently tested apps. They succeed in being the first to market with a new feature, but it may pose a major security risk. Also, the users don’t have many ways to protect themselves against potential attacks.
Who’s the Man in the Room?
Originally, Dr. Baggili’s team only wanted to investigate what attackers can find out about private communication in virtual reality. During their work, however, researchers managed to get into closed rooms in Bigscreen without being noticed. Potential attackers thus could listen in on other users and even access the computer on which the app was running.
The researchers then coined a new term for a brand new type of threat – Man-In-The-Room. Together with his colleagues, Vondráček has been finalizing an article on this topic and considers continuing with the research in New Haven during his PhD studies.
“The hardest part was to conceive that such an attack would be possible. Doctor Baggili started to wonder whether it was possible to disrupt the virtual space. We were inspired by the Man-in-the-Middle attack when two participants in a conversation think they are communicating directly while there is a third party between them who could influence the conversation,” Vondráček describes the idea the head of the team came up with. It took Vondráček three months to find out how to implement the idea and attack successfully.
The researchers have modified the weak spots of the app, but this surely isn’t the only app suffering from such imperfections, so the team encourages anyone using such technology to remain vigilant!