The University of Chicago has discovered a major vulnerability in Meta Quest VR headsets. Published by MIT Technology Review, the hack is quite severe. It combines the effects of a key logger, hidden microphone, and ransomware all in one.
Once the uni injected the malicious code via an application, it clones the operating system’s home environment. Since it looks identical to the one you’re familiar with, researchers are calling it an “inception attack” after the Christopher Nolan movie.
The main difference is that the fake OS gives the attacker the means to steal your information and pose as you. They can record everything you say, see, and do, including gestures and keystrokes. That might not seem like a big deal since everyone already collects your data in droves, but nothing is anonymised, and everything could be used against you.
Worse yet, hackers can pose as you, sending messages to people in your name. This puts your contacts at risk of phishing and a range of other sophisticated scams.
It’s unlikely you’d even notice a compromised device. The trial contained 27 unassuming subjects who weren’t privy to the intent. Just one person reported suspicious activity when spotting unusual sluggishness. Ten others chalked the delay up to your run-of-the-mill lag. The remaining 16 didn’t see anything amiss at all.
It’s not all bad news if you copped a Meta Quest 2 at its best price ever. First, the attack hasn’t cropped up in the wild yet isn’t in active use. Second, it’s a difficult hack to pull off as bad actors would need to connect to the same WiFi network as your device. Unless you’re rocking your goggles on a public network, you only need to be careful of your family and friends.
The study isn’t peer-reviewed, so this news comes completely from the shoulders of Chicago Uni. Meta tells MIT Technology Review that it plans to investigate the findings itself, so a fix is likely on the horizon.
