The Rise of VR and Its Impending Security Risks

When virtual reality (VR) makes it big, what do we have to worry about when it comes to security? Until recently, locking down VR devices hasn’t been much of a concern, as the technology has only been a curiosity without much adoption… not a big target for hackers. For example, primitive and bulky prototype VR devices were being tested in labs as early as 1960, but there were few, if any, computer hackers or even an internet to speak of back then. A bit later in the pre-internet 90s, Nintendo and Sega tried to bring virtual reality to the gaming masses by developing VR platforms and games. However, Sega's system never made it to market, and when Nintendo’s Virtual Boy launched, it flopped due to lack of consumer interest. More recently, virtual reality experienced a resurgence in 2012 with the release of Oculus Rift, and buzz around the technology picked up even more momentum in recent years as tech firms poured billions of dollars into research, development and marketing of VR. Facebook acquired Oculus, Sony developed a VR headset for its PlayStation IV system, and Microsoft worked on HoloLens, an augmented reality headset that layers virtual objects over the physical world. This flurry of activity has led to much hype over the future of this technology, and it looks like adoption is actually taking off this time around in the consumer market. Although adoption is much slower in the workplace, some sectors, such as construction, engineering, retail and healthcare, are more open to adopting VR than others. In fact, Spiceworks’ Future of IT report shows that although only five percent of organizations in the construction and engineering industry use VR today, an additional 27 percent plan to adopt it over the next five years. This is likely because architects and engineers can use VR to visualize a building or product prototype. But with the internet being wrought with potential danger, what might we have to worry about in terms of security and privacy once more organizations adopt the technology?

Virtual reality security and privacy concerns

Like any connected device that’s part of the Internet of Things, some VR platforms will likely be designed without essential security mechanisms. Remember the Mirai malware that made millions of connected cameras part of a botnet? The same could happen to IP-enabled VR headsets. Additionally, communications between VR devices and servers might be sent unencrypted, as was the case with the OpenSim platform, an open 3D application solution being used by the U.S. Army. We all know smartphones can surreptitiously collect information on where we’ve been and when, who we’re talking to, and what we’re interested in. In the future, if VR headsets become ubiquitous, everyday devices (perhaps like a slimmer Google Glass), then someone might be able to track what you’re watching at any time. For example, one day it could be possible for auto insurance companies to deny you coverage if the sensors in a VR device suggest you suffer from slow reaction times. Additionally, remember when a series of flashing strobe lights in an episode of Pokémon caused seizures in hundreds of Japanese schoolchildren? What happens if someone hacks VR headsets and launches a visual attack that could cause adverse real-world reactions? There could be various ways hackers put individuals into harm’s way if desired.

What can be done to make VR safer?

Up to this point, there hasn’t been wide scale discourse among IT professionals around potential VR security issues in businesses. But with the wide array of unique data, privacy and health security risks associated with VR technology, we’ll eventually need to have the conversation to get security right. In the meantime, there are a few precautionary steps organizations can take to improve security of VR devices. For example, before adopting VR or any new IoT technology, companies should examine the track record of the manufacturer and ask questions about whether the device’s firmware and software have been hardened to protect against prying eyes or malicious actors. Additionally, companies might want to wait a bit if there’s no immediate need to adopt VR technology, so the early bugs can get worked out in order to reduce security risks. As with any revolutionary technology, companies, human behavior and the law will have to adapt to keep up with any associated changes brought on by VR. Only time will tell if virtual and augmented reality devices will play a big role in our futures or if they’ll remain in our imaginations and sci-fi movies. Either way, IT professionals and the general public should start considering the security risks and impact of virtual reality now, so we can be prepared if they do become part of our everyday lives.  

Image

About the Author: Peter Tsai is an IT analyst at Spiceworks. Formerly a systems administrator, programmer, and server engineer who has lived IT from the inside and out, Peter now works to serve up IT articles, reports, infographics, and livecasts that inform and entertain millions of IT pros in the Spiceworks network worldwide. You can follow him on Twitter and LinkedIn, and you can read more about him on Spiceworks. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.