Zihao Su, University of California, Santa Barbara; Kunlin Cai, University of California, Los Angeles; Reuben Beeler, Lukas Dresel, Allan Garcia, and Ilya Grishchenko, University of California, Santa Barbara; Yuan Tian, University of California, Los Angeles; Christopher Kruegel and Giovanni Vigna, University of California, Santa Barbara
As Virtual Reality (VR) applications grow in popularity, they have bridged distances and brought users closer together. However, with this growth, there have been increasing concerns about security and privacy, especially related to the motion data used to create immersive experiences. In this study, we highlight a significant security threat in multi-user VR applications, which are applications that allow multiple users to interact with each other in the same virtual space. Specifically, we propose a remote attack that utilizes the avatar rendering information collected from an adversary's game clients to extract user-typed secrets like credit card information, passwords, or private conversations. We do this by (1) extracting motion data from network packets, and (2) mapping motion data to keystroke entries. We conducted a user study to verify the attack's effectiveness, in which our attack successfully inferred 97.62% of the keystrokes. Besides, we performed an additional experiment to underline that our attack is practical, confirming its effectiveness even when (1) there are multiple users in a room, and (2) the attacker cannot see the victims. Moreover, we replicated our proposed attack on four applications to demonstrate the generalizability of the attack. These results underscore the severity of the vulnerability and its potential impact on millions of VR social platform users.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Zihao Su and Kunlin Cai and Reuben Beeler and Lukas Dresel and Allan Garcia and Ilya Grishchenko and Yuan Tian and Christopher Kruegel and Giovanni Vigna},
title = {Remote Keylogging Attacks in Multi-user {VR} Applications},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {2743--2760},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/su-zihao},
publisher = {USENIX Association},
month = aug
}