Skip to main content

Researchers claim hackers can create havoc in the Oculus Rift, HTC Vive

Virtual reality headsets produced by Oculus VR and HTC are open to hackers according to a recent paper published by researchers from the University of New Haven in Connecticut. Their proof-of-concept attack targets OpenVR, an open-source software development kit created by Valve Software and supported by the HTC Vive and Oculus Rift PC-based headsets. The result? Changing what the viewer sees and thereby causing physical harm. 

The problem with the HTC Vive and Oculus Rift is that you can’t see the surrounding physical environment. The setup process includes defining your movement area in the real world while inside virtual reality, this space is defined by a grid that suddenly appears if you get too close to the playing area’s edge. Typically, the edge is an actual wall, a couch, or simply an area where observers can watch from a safe distance while you swing wildly with the controllers. 

But hackers with access to a compromised PC could alter that space. If, for some reason, headset owners were playing near a staircase, they could trip over the steps or fall down to the next floor. If a group of family members is watching from the couch, headset owners could get too close and start swinging the controllers at their heads. The physical dangers are certainly possible. 

With the proof-of-concept, the research team attached malware to an email to see what would happen once it infected the targeted PC. “It was created with little security in mind, and they’re completely relying on the security of the operating system and the user,” says Ibrahim Baggili, director of the university’s Cyber Forensics Research and Education Group. 

Naturally, there are already safeguards set in place to prevent the infection, such as antivirus software and firewalls. But the experiment targeted the VR platforms themselves to see what would happen if the typical safeguards failed. The software powering the Oculus Rift and HTC Vive failed to block the malware as it infiltrated through the OpenVR crack. Not only could the researchers change the boundary, but everything seen through the headsets. 

Both HTC and Valve Software wouldn’t comment on the findings, but Oculus VR pointed out that the majority of the Oculus Rift experiences are served up on the Oculus Store without OpenVR. Even more, adding encryption to Guardian would introduce bugs and “unnecessary complexity.” If your machine is compromised, all data is at risk, not just the VR experience. 

But a closer look at the report shows there is more to the issue than just altering the headset’s view. For instance, a deep dive into Steam discovered two authorization files hidden in the Steam folder that could be used to bypass two-factor authentication. Other files include the person’s name, port details, IP addresses, and data associated with specific apps. Researchers also found accessible “artifacts” with a number of applications such as Rec Room, AltspaceVR, Facebook Spaces, and Big Screen. 

The full disclosure will be presented in May during the 39th annual Institute of Electrical and Electronics Engineers Symposium on Security and Privacy. 

Editors' Recommendations

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Oculus Rift vs. HTC Vive
msi oculus vr rift collaboration backpack pc on matt back2

The virtual reality headset industry is far more mature than when it re-emerged with exciting new hardware in 2016, but Oculus and HTC's flagship PC headsets are still two of the best choices out there.

Yes, there are other versions of these PC headsets, and while you might be more excited about the HTC Vive Pro, Oculus Go, or Oculus Quest, the Oculus Rift (and updated Rift S model) versus HTC Vive (now currently on the Cosmos line of products) comparison is still a major debate worth having when it comes to picking the right VR headset for you -- especially if you already have a capable gaming PC.
Design

Read more
HTC offers cheaper Vive Pro Eye bundles, expands eye-tracking in VR
HTC Vive Pro Eye virtual reality headset

HTC is expanding its push into enterprise virtual reality solutions by launching several new bundles in the Vive Pro Eye family. Both new bundles come packaged with HTC's Vive Pro Eye, which boasts to be the first virtual reality headset that comes with built-in eye tracking technology.

However, enterprise users who just want the VR headset without buying a bundle can grab the Vive Pro Eye at its new lower price of $1,399, HTC announced. This represents a savings of $200 from the original $1,599 price.

Read more
HTC Vive Cosmos Elite hands-on review: External tracking returns
vive cosmos elite

Setting up sensors in your living room to use VR isn't fun. It takes time, requires a lot of space, and is a hassle to transport. In the era of inside-out tracking on headsets like the Vive Cosmos and Oculus Quest, external tracking feels like a technology ready to be phased out.

HTC has announced a new external tracking option with the Vive Cosmos Elite. It's a faceplate attachment that brings external tracking to the Cosmos. The $899 bundle includes SteamVR base stations and two controllers, and is priced as a successor to the Vive Pro.

Read more