Insights From The Blog

How Can We Stay Secure in an Extended Reality World?

The word “security” is a bit of a benign term since it doesn’t, on its own, allude to any particular aspect of security, and needs qualification with some other term – personal security, state security, world security etc. However, it’s still not that simple as a concept and can still need a bit more qualification. In the context of something like VR, security can be multifaceted issue, with a number of different solutions.

One of the big concerns with many of the latest crop of headsets is the collection and storage of personnel data, and worries about how that might be used. The Oculus Quest 2 in particular has come under criticism in particular since Oculus is owned by Facebook – the social media site – and requires that you have a Facebook account simply to set a unit up and use it. Facebook doesn’t have the best reputation when it comes to dealing with personal data – earlier this year, Facebook were slated for a data breach in which information on a huge number of users was somehow made accessible, and the fact that it had happened was only uncovered in a misdirected email that ended in in the offices of Belgium based Data News.

The exposed data includes the personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. The data includes phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, even email addresses. Facebook tried to play down the significance of the breach but many analysts are not convinced by the company’s apparent commitment. 

But what of other VR systems? While none of the rest are quite as connected to a notorious data gathering body as Facebook, they all gather data, with biometric information being a favourite. All VR systems tend to collect body-tracking data by means of eye tracking systems, facial recognition systems and advanced sensors, including fingerprints, voiceprints, hand and face geometry, electrical muscle activity, heart rate, skin response, eye movement detection, head position to name a few. That information usually goes to help engineers understand how people are using their systems and to plan the next iteration of headsets. But the type and density of this data in particular could be of use to criminals who may be able to exploit it, via an emerging practice called spoofing.

Spoofing is the practice of ‘fooling’ a biometric security system using faked or copied biometric information to use with the system. For example, a fingerprint can be stolen, copied and moulded onto an artificial silicon finger, and can then be used to unlock a mobile device or payment system, allowing hackers access to the user’s bank account. Facial recognition systems, often used to secure smartphones or tablets, have been known to be vulnerable to simply being shown a photograph of the owner, thus unlocking the device. By collecting a vast amount of information, fraudsters and criminal gangs could effectively become you, for whatever purposes.

From a different perspective and at a more fundamental level, VR units are highly specialised computers, with different functions from your laptop or Mac, but powered by combinations of one’s and zero’s just the same. In the same way, VR units are subject to malignant software and even ransomware that might lock us out of our entertainment, and only let us back in on payment of what can be a substantial amount of money. Because VR systems do generate so much biometric data and users can be very slack with their passwords – VR devices can be just as vulnerable to concerted attacks as any computer system, therefore strong passwords are always required to keep your hardware and data secure. Research has recently found that the top three bad passwords – 123456, QWERTY (not necessarily in caps, either) and the word “password” – made nearly seven million appearances in observed data, and people need to get better with their password hygiene. Some analysts are suggesting that the way forward is to use combinations of passwords and biometric data as the entry-level means of securing data in VR systems, and extended versions of these in more secure units.

The future of VR is looking bright, with increasingly powerful systems being able to move in a greater number of areas, but people will only trust such systems if they are seen as secure. Facebook’s data issues and the problems with biometrics are likely to unnerve potential users, and it is up to the system developers to show us that our data is safe in their hands. Just how they do that is going to be interesting.