Critical vulnerabilities in Bigscreen VR app, Unity allow eavesdropping, ‘man-in-the-room’ attacks

A vulnerability in both the Bigscreen virtual reality app and the Unity game development platform on which it’s built makes it possible for hackers to listen to conversations and access user computers, according to researchers at the University of New Haven.

“Our research shows hackers are able to monitor people day in and day out – listen to what they are saying and see how they are interacting in virtual reality,” Ibrahim Baggili, founder and co-director of the University of New Haven Cyber Forensics Research and Education Group, said in a release. “They can’t see you, they can’t hear you, but the hacker can hear and see them, like an invisible Peeping Tom. A different layer of privacy has been invaded.”

The University of New Haven researchers were able to turn on user microphones, join private VR rooms and remain invisible (dubbed "a man-in-the-room attack"), see users’ computer screens in real time and send messages from their accounts, run malware on their computers, successfully phish users into downloading fake VR drivers and even create a replicating worm that can infect users entering a VR room, the team explained.

After discovering the vulnerability while testing the security of VR systems through a National Science Foundation-funded project, the researchers notified both Bigscreen and Unity, with Bigscreen CEO and founder Darshan Shankar reporting last week that the flaw has been patched, the release said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.