There may be an intruder in your VR helmet.
A new study from the University of Chicago describes a vulnerability in the Meta VR system Quest, which allows attackers to hijack users devices, steal confidential information, and use generative AI to manipulate social interactions.
To carry out the attack, called the "Inception Attack", you need access to the Wi-Fi network of the user of the VR headset. If successful, victims become vulnerable to phishing, fraud, and other threats.
A cybercriminal must create an app that injects malicious code into the Meta Quest system, then launch a copy of the home screen and app and monitor, record, and modify all user actions in VR, including voice commands, gestures, browser activity, and social interactions.
Screenshots of the real (left) and its copy (right)
As part of the study, it was demonstrated how an attacker could change information on the user's screen, for example, showing an incorrect bank account balance, and even change the amount of transfers without the user's knowledge.
The use of generative AI can make things worse, allowing you to instantly clone people's voices and create visual deepfakes for manipulating interactions in VR.
Voice cloning allowed you to change the voice message of the interlocutor
An experiment involving 27 volunteers-experts in the field of VR showed that most of them did not suspect the presence of an attack, only one participant noticed suspicious activity. A representative of Meta announced the company's plans to study the results of the study and emphasized cooperation with academic circles in the framework of the vulnerability search program.
A new study from the University of Chicago describes a vulnerability in the Meta VR system Quest, which allows attackers to hijack users devices, steal confidential information, and use generative AI to manipulate social interactions.
To carry out the attack, called the "Inception Attack", you need access to the Wi-Fi network of the user of the VR headset. If successful, victims become vulnerable to phishing, fraud, and other threats.
A cybercriminal must create an app that injects malicious code into the Meta Quest system, then launch a copy of the home screen and app and monitor, record, and modify all user actions in VR, including voice commands, gestures, browser activity, and social interactions.
Screenshots of the real (left) and its copy (right)
As part of the study, it was demonstrated how an attacker could change information on the user's screen, for example, showing an incorrect bank account balance, and even change the amount of transfers without the user's knowledge.
The use of generative AI can make things worse, allowing you to instantly clone people's voices and create visual deepfakes for manipulating interactions in VR.
Voice cloning allowed you to change the voice message of the interlocutor
An experiment involving 27 volunteers-experts in the field of VR showed that most of them did not suspect the presence of an attack, only one participant noticed suspicious activity. A representative of Meta announced the company's plans to study the results of the study and emphasized cooperation with academic circles in the framework of the vulnerability search program.
