Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users

Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR.

Meet the new man-in-the-room attack, which exploited vulnerabilities in the Bigscreen virtual reality (VR) app, allowing attackers to invisibly eavesdrop in VR rooms. Attackers could also exploit the flaws to gain complete control over Bigscreen users’ computers, to secretly deliver malware, and even to start a worm infection spreading through VR. Breathe easy – it’s been fixed, but it’s still freaky.

Bigscreen Beta, a free and popular VR app available on Steam – which has support for HTC Vive, Oculus Rift, and Windows Mixed Reality – is like a hangout and more. It has more than 500,00 users and allows those users to make their avatars, chat in the lobby, hang out, make private rooms, watch movies together in an amphitheater-style cinema, collaborate on projects, and more. With an NSF-funded Virtual Reality Security & Forensics project, University of New Haven researchers Ibrahim Baggili, Peter Casey and Martin Vondráček totally pwned it thanks to security vulnerabilities in the Bigscreen game development platform.

Since Bigscreen likes to describe itself as a “virtual living room,” the attack would be like an invisible stranger taking over your living room – but it’s not taking over your living room –  it’s an invisible stranger taking over your computer, which likely has much more private stuff connected to your real and digital lives than your living room could ever hold.

I’m not gonna lie; the researchers’ novel attack – dubbed a man-in-the-room attack – wigged the privacy and security freak in me out. The flaws made it possible for an attacker to gain access to users’ systems without the users being any wiser – and it didn’t require tricking the users into installing anything.

“Our research shows hackers are able to monitor people day in and day out – listen to what they are saying and see how they are interacting in virtual reality,” said Baggili, founder and co-director of the University of New Haven Cyber Forensics Research & Education Group. “They can’t see you, they can’t hear you, but the hacker can hear and see them, like an invisible Peeping Tom. A different layer of privacy has been invaded.”

In addition to the flaws allowing an attacker to turn on a victim’s microphone and listen in on private conversations, the vulnerabilities also allowed “a self-replicating worm to spread across the Bigscreen community by infecting the lobby and users.”

I highly recommend watching the man-in-the-room attack proof of concept, as it shows the researchers’ software automating the attack process. Some of your fictional buddies and adversaries are there in the Bigscreen lobby – Bob, Alice, Mallory, and Trudy; the latter attacker is running a C&C server capable of controlling victims’ computers and eavesdropping on private rooms. In essence, the lobby gets poisoned and anyone who joins it gets infected, users in private rooms get compromised and become zombies.

When Bob, or anyone, would create a private room, attacker Trudy could share the room ID with attacker Mallory who could join the private room and remain invisible while eavesdropping as an invisible user. Mallory then compromises everyone in the private room, so they unknowingly become zombies that Trudy can control.

An attacker could completely control the victim’s computers, viewing the victims’ screens in real time. The attacker can eavesdrop, as well as control victims’ computer audio, see video, turn on the microphone and send chat messages. For example, the attacker could send messages on a victim’s behalf, change victims’ avatars, play Bigscreen UI sound effects, select admins for rooms, kick users from rooms making it look like it was done by admins, and even ban users until restart – although the victim would see a message that stated, “You have been permanently banned from public rooms.”

The attacker can see victims’ logs, open any folder on victims’ machines, download and execute any payload, and even remotely kill the victims’ Bigscreen app.

The researchers responsibly disclosed their findings to Bigscreen's CEO and Unity. In a Facebook post about the massive 2019 update, Bigscreen mentions new features and improvements, but you need to read the blog post to see the disclosed security vulnerabilities in “Bigscreen’s servers and streaming systems” mentioned before it says, “These bugs have been fully patched in this update.”

In addition, Unity added a note in bold print to its documentation stating that the platform “can be used to open more than just web pages, so it has important security implication you must be aware of.”

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!