VR Headsets - What you need to know - Cribb Cyber Security

Technology is redefining our view of reality. Recent advances in VR, AR and AI have begun to change how we live and work. From online workspaces to gaming, social media and healthcare, new virtual worlds are being formed. Meta (formerly known as Facebook) has made waves early in the VR space with its “metaverse”. This is an immersive version of the current internet accessed through VR headsets. Included in this are additional tech players such as Google and Microsoft. Is the new tech finally up to the challenge? Will VR headsets and AR glasses catch on?

Privacy

VR Headsets contain both cameras and microphones which collect lots of data about you and your home environment. To use the device, you’re still required to have a Facebook account (unless you purchase the business version). Privacy is therefore a key consideration. Does Facebook have your best interests at heart when it collects all the data this device holds? It is important to note that these devices do not come with data privacy included.

Security

Delivering security within Oculus for Business solutions starts within the headsets themselves. Data is encrypted at rest on the headsets using AES-256 XTS. If so desired, administrators can also then lock each headset with a PIN. Data transmitted between the headsets and backend servers is encrypted with industry-standard TLS 1.2 and TLS 1.3 protocols. Beyond the headsets’ built-in security, Oculus has then created two core elements to ensure their secure deployment and operation. The first element is a mobile device setup app, and the second is a device manager web portal. To initiate a deployment, administrators with credentials will login to the device setup app. This app connects to each VR headset over Bluetooth, validates the licence and then initiates an over-the-air software update.

Mobile devices and PC’s can administrate the setting of Oculus and then have the ability to ‘Cast and Stream’. This gives them the ability to steam what is seen through the headset. It DEMANDS assurances that your mobile device or PC is appropriately secured. The mobile device or PC and Headsets all retain personal and sensitive information. Therefore, appropriate access controls should ALWAYS be applied. Just as your mobile devices and PCs require passwords, the same applies to the Oculus Headset. The Headset relies on pattern recognition access enabled through: Oculus > Apps > Settings > Security. Where forgotten, this can be retrieved through the connected mobile device app or PC app.

Security features included on the Oculus VR platform

  • Two-factor authentication (2FA, a second form of identification such as a code sent to a mobile device)
  • Device encryption (data stored on Oculus VR devices is encrypted to protect it from unauthorised access)
  • Automatic updates (the Oculus VR platform automatically updates itself to ensure that users are protected against the latest security threats)

Additionally, Oculus VR has a dedicated team that works on security and safety. They focus on identifying, tracking and mitigating any potential security threats to the platform. However, like any other technology, the security of the Oculus VR platform is not fool proof. Users should still be cautious when using the platform. They should be aware of potential risks such as phishing attempts, malware and other cyber threats.

Remember, the headset requires wireless or direct link connectivity to your mobile or your computer. As such, it is recommended that you follow the UK’s Cyber Essentials certification standard. This was established by the NCSC in part to secure connected devices that reside in businesses.

Update on ‘Jailbreaking’

This is the term given to the process of removing software restrictions imposed by a manufacturer on a device. One example is where many users install software not available from an official app store. This software could critically compromise the device.

According to certain resources, login issues with Facebook have left some VR headset users with a headset that wouldn’t work. Other users have seen their Facebook accounts then banned because they were not ‘in good standing as decreed by… Facebook’. It is important to note that if you deactivate your Facebook profile, this can also disable your Oculus profile too. Thus, your Facebook account would be deleted and you would lose all games, purchases and progress.

Now it seems that hackers have been trying to ‘jailbreak’ too. This is to gain root access and therefore have superior privileges over the headset.

Present Vulnerabilities

Researchers at Rutgers University-New Brunswick have published “Face-Mic”, the first work on “eavesdropping attacks”. These involve voice command features on VR headsets leading to major privacy leakages. The research shows that hackers could use popular headsets with built-in motion sensors to record subtle, speech-associated facial dynamics. They could then steal sensitive information communicated via voice-command, including credit card data and passwords. Common AR/VR systems on the market include the popular Oculus Quest 2, HTC Vive Pro and PlayStation VR brands.

Antivirus; does Oculus need it?

While a traditional virus may not exist on Oculus Quest, malware can, especially on Android and iOS. It is therefore doubly important to install antivirus software on your mobile or PC. This is especially true of those using a VR headset to browse the internet.

How do I enable Oculus with antivirus?

In the settings of your antivirus software, add Oculus as a “Trusted Programme”. Then check to make sure your antivirus software is up to date. Always turn your antivirus software off when downloading and installing content.

Application Sideloading

‘Sideloading’ refers to the process of installing and running unofficial apps on the Oculus VR platform. This can be done by enabling “Unknown Sources” in the Oculus VR settings. This allows users to install apps from sources other than the official Oculus VR store. Whilst certainly useful, sideloading comes with some risks, including:

  • Security risks: Sideloaded apps may not have been vetted by Oculus VR, and may contain malware or other malicious code
  • Compatibility issues: These apps may cause performance issues or crashes
  • Risk of users being banned: Oculus VR has a clear policy of not allowing sideloading

Users still wishing to sideload apps on their Oculus VR platform should exercise caution and only use reputable sources. They should also be aware of the risks and understand that Oculus VR will not provide support for sideloaded apps.

Health & Safety

Keeping people safe in the virtual reality environment is the key priority. Oculus has provided comprehensive warnings about its products since they were launched. The warnings advise that VR products should not be used by children under the age of 13. This is due to the fact that VR headsets provide an unrestricted view of the internet. Restrictions can be applied through the Oculus mobile app, however. Parents can access a “Parent Dashboard”, which allows them to link to their child’s account. Another option is to deploy ‘Cast and Stream’, enabling them to stream what the headset user is seeing.

It is important for users to be aware of the potential health risks associated with using virtual reality technology. These include motion sickness, eye strain and headaches. To minimise these risks, Oculus VR recommends taking frequent breaks and adjusting the settings to their individual comfort level. Users should also be aware of their surroundings and the risk of tripping or falling over. They must use the equipment in a safe environment and not while operating heavy machinery or driving.

Investigations by the Centre for Countering Digital Hate (CCDH)

The UK data watchdog is presently in talks with Meta over child protection concerns. One investigation carried out by the CCDH pointed out the detection of multiple abuses in VR Chat. Several cases have even been investigated as alleged child abuse crimes, with sexual violence charges then occurring.

Lens IPD (Inter-Pupillary Distance)

Although researchers have advised that VR headsets may cause eye problems, there is no evidence of long-term damage to date. Correctly setting up the Oculus is vitally important though for your visual health and for overall quality of use. This is when the inter-pupillary distance becomes a key consideration. This is the distance between the centre of the pupils and is common knowledge to people who wear reading glasses.

To avoid eye strain whilst also achieving the best image clarity, the Oculus lens spacing should line up with your IPD as much as possible. Oculus Quest 2 headsets best accommodate IPDs with three lens settings between 56 and 70 mm. If you are unsure of what your IPD is, you can visit an optician or obtain the ‘Eye Measurement’ App.

IPD Range Lens Spacing Setting

  • 61 mm or smaller 1 (narrowest, 58 mm)
  • 61 mm to 66 mm 2 (middle, 63 mm)
  • 66 mm or larger 3 (widest, 68 mm)

Read this interesting article from How-To Geek on how to measure your IPD.

Enable Passthrough

The Oculus Quest 2 has a handy safety option known as “Passthrough”. This feature allows you see the real world via the headset’s cameras whenever you step out of the virtual play area or double tap the side of the headset. To enable this, go to: Quick Settings > Settings > Guardian and then turn on “Double Tap for Passthrough”. Now you’ll have an easy way to check on any children, pets or objects that might be nearby without having to take your headset off or break up the flow of your activity.

Maintenance

Oculus VR regularly performs platform maintenance to ensure smooth running and to fix any issues that may arise. During this time the platform may be unavailable, and users may not be able to access their apps or games.

Oculus VR typically schedules maintenance at times when usage is at its lowest, such as overnight or on weekends. They usually announce the maintenance schedule on their website or social media channels.

Users should also take steps to ensure smooth operation, including:

  • Keeping your device updated
  • Regularly cleaning your device (dust and debris can accumulate in the device and cause overheating)
  • Freeing up device storage if it is full
  • Restarting the device on a regular basis

‘VR Headsets – What you need to know’ was written by Patrick J Carolan. Patrick is Technical Director and International DPO at CRIBB Cyber Security. He is also a fully accredited penetration tester and VR Headset aficionado!