In a world where advancement and improvement are key, the demand for novel experiences continues to grow. Our culture strives for not only improvements in technology we currently possess, but advancement into the realms of tech which was once thought to be nothing more than unattainable dreams. With this advancement, however, comes great responsibility, and the question truly is whether or not the giants of the tech industry are actually capable of harnessing the power they’ve provided our culture with.
The need for strict security measures is vital, but are we actually holding up to these standards — and, if not, what does that mean for the average consumer buying these advancements on a daily basis? For companies like Sony and Microsoft, virtual and augmented reality are the newest endeavor into the unknown, but perhaps it is still too early for such technology to be readily available. In fact, despite the VR market distributing over 6.3 million headsets in 2016 alone, many security specialists fear that this technology is still not as secure as these companies claim it is, and the effects this lack of security may have on our society could be nothing short of disastrous.
How Does It Affect The Consumer?
Last year, over $2 million was invested in the virtual and augmented reality industry, due to the sheer supply needed to meet the demand of these devices. On the subject, Ben Smith, CEO of Laduma, stated, “As new developments are rushed to market in order to gain a lead on competitors, there is a risk that mistakes are being made.” The truth is that these devices are not as safe as they are marketed to appear. Because the demand for these devices is so high, many companies rushed them to market without truly meeting the security standards required to be successful in the long-term.
The main security concerns for virtual reality headsets come in three forms: visual terrorism, botnets, and phishing. Visual terrorism is fairly simple to understand, due to the fact that it truly isn’t rocket science to realize that you can be visually attacked when your face is millimeters from a giant immersive screen. With the most recent visual attack on Newsweek journalist, Kurt Eichenwald, resulting in a GIF being determined to be a deadly weapon in the court of law, it is no surprise that many specialists fear VR could soon be used in the exact same way.
In this case, cyberstalker John Rayne Rivello sent Eichenwald a GIF consisting of a series of flashing colors on Twitter, with the quote, “I hope this sends him into a seizure” sent directly afterwards to one of his friends as well. Eichenwald suffers from epilepsy and, after seeing the GIF, he experienced a severe and nearly fatal epileptic seizure.
The court later ruled that said GIF had been used as a deadly weapon and convicted the man on assault with a deadly weapon for the incident. This case strikes up a rather disturbing (yet true) fact about virtual reality devices, which many of the companies manufacturing these products seem to have forgotten about which is that this device can easily be transformed into a weapon if in the wrong hands. Some of their players have already experienced nausea and severe migraines simply by playing the games provided by these tech giants but what if a hacker were to create imagery specifically made to attack individuals more susceptible to VR illness or even epileptic seizures? This is where visual terrorism begins to unfold and the fear related to it finally makes sense.
When it comes to botnets, the same lack of security standards turns VR devices into targets. Last year alone, countless malicious malware attacks were caused by none other than botnets, including the Mirai malware attacks that actually set records never before seen. Mirai malware uses a table of nearly 60 common factory default usernames and passwords to target devices with weak security and infect them with the malware. From there, these devices monitor a command and control server to bypass anti-DDoS software. By targeting cameras and cellphones with weak security, these botnets were able to infect many devices with the malware without triggering any of the software put in place to deflect it.
The problem with this is, simply put, that VR headsets could easily be infected and lead to massive data breaches and malware attacks, which could shut down entire companies, destroying their stocks in a matter of hours. For the consumer, this could mean not only that their device is no longer functional, but that their personal information is now up for grabs by whoever chose to attack in the first place.
Lastly, phishing is one of the most common and likely forms of a VR attack that security specialists fear will soon occur. Phishing is a technique in which hackers create false identities in order to trick individuals into doing things they would not normally do. For instance, by hacking into VR headsets and using fake virtual objects, or pretending to be updates for the system, consumers may unwittingly deploy trojans into the network, or leak their passwords to hackers. This could make for a far easier entryway for hackers to manipulate data in the cloud.
With virtual reality hacking becoming a major concern, it is important that we analyze how exactly we can strengthen these security standards — not only for the consumers utilizing this technology, but also for the professionals taking a chance by incorporating this tech into fields that put it into contact with sensitive information, such as company data and even patient information.
How Does It Affect The Healthcare Industry?
With telemedicine and technology in the healthcare industry becoming so prevalent, it is no surprise that VR has made its way into the equation. In fact, virtual reality headsets are already being used to rehabilitate stroke victims, and even to help medical students learn more about the human body and surgery without actually being present with a live patient. However, the main issue with this is, once again, the security of the connection.
By connecting these devices to the same databases that hold all of the patient records, a gateway is formed for hackers to access information on any patients within the database and use it against them. In turn, they can steal the identity of any of these individuals, or even sell the information to others on the black market. With the digitization of nearly everything nowadays, it is all the more crucial that we mitigate the risk of electronic health records and the weak security of devices that could access them at any given point in time. This information is certainly not something to mess around with, and could even lead to the death of countless patients within the breached facility.
Furthermore, not only could cybercriminals access patient records, but they could also hack into any and all electronic devices also connected to the same network. Whether they choose to hack into the VR headsets themselves to attack individuals more susceptible to strokes and seizures, or they choose to attack computed tomography (CT) machines to hurt individuals using radiation, these devices that we plan on connecting to the IoT in only a matter of years could quite literally lead to the death of hundreds of individuals.
How Does It Affect Business?
In 2016, 45 percent of all breached organizations were in the business sector. The main reason for this comes in the form of cloud technology and the internet of things (IoT). With a rise in both the popularity of wearable technology, as well as telecommuting, an increasing number of careers where you can work from home are opening up, including jobs in web design and the healthcare industry. However, the use of weak devices connected to the same cloud their companies are connected to is exactly why a rise in data breaches in the business sector has occurred.
When employees connect devices such as cell phones or wearable tech to a company site, and various other pages in which their company’s data is vulnerable, they open a gateway to the business’ sensitive information. With this access point, hackers can easily steal said data. In turn, these hackers can find out information about not only the employees and the company itself, but also about their clients and personal information, such as financial data. Now, multiple companies have begun to consider the idea of using virtual reality in business to improve the way they secure their data, as well as the way their employees work both in and out of the office. From using devices to work with 3D models for product testing without wasting the excess paper and supplies that is used to build them in real life to virtual data recovery, the opportunities for VR in business are endless. However, with these headsets being so clearly weak in security measures, they open up an entirely new way for these various companies to be breached. VR could lead to massive hacks larger than even the likes of the DDoS attack on Dyn or Krebs on Security.
Using any of the methods above, these hackers could quite literally open up an entire company’s database and receive information on the identities of employees and clients, as well as the financial information needed to physically steal from them. With data intrusion becoming very popular as well, these breaches could take years for companies to even notice them. Although businesses affected by breaches may lose mere pennies at first, the things cybercriminals might intrude upon could bankrupt entire companies without them ever knowing why, in little to no time at all.
In the end, this ‘“power’” only lies in the hands of one industry —the one that created it. These tech giants may be making billions on the virtual and augmented reality devices they created, but, without the security measures in check to ensure they stay safe, it truly means very little in the wider scope of things. The most important thing to keep in mind is what exactly makes these devices so weak, and how we as a culture can counteract their weaknesses.
After all, you don’t have to throw your virtual reality headset in the trash just because the security measures aren’t up to par. Instead, the best way to keep your device and ensure your safety is by using difficult to figure out passwords, not trusting popups of any kind, and by avoiding any and all payments via the device as well. By doing this, we can enjoy the advancements technology have afforded us without paying the biggest price in return.
Source: SANS ISC SecNewsFeed @ May 3, 2017 at 11:12AM