Editor’s note: Adam Kujawa is a computer scientist with over nine years’ experience in reverse engineering and malware analysis. He has worked at a number of United States federal and defense agencies, helping these organizations reverse engineer malware and develop defense and mitigation techniques. He is currently head of Malware Intelligence for Malwarebytes.
Using your imagination, put yourself on top of a tall mountain, watching the most beautiful sunset over the clouds, all while mounted on your trusty dragon. Now you’re on a spaceship, traveling at hyperspeed toward an unknown planet full of mystery and danger. Finally you’re sitting across the table from your spouse who you haven’t seen in person in over a year, you both move in for a kiss when suddenly the world goes dark and you are staring right at the most horrific and violent images you have ever seen. Do you want to return to your romantic dinner? Well that will be $200.
All of the images I painted for you above will be possible within the next 10 years, immersive technology will put the user into the digital shoes of their own avatars, experiencing video games, simulations, learning opportunities and even romance on new levels, so it goes without saying that while we can expect all that grandeur, there will be people who try to ruin it, for money.
Our current technology mainly consists of interaction with an interface device, such as a keyboard, mouse and even touch screen, and a method for displaying data (i.e. your monitor); the feeling of full immersion isn’t possible — not yet anyway. With new technologies being developed every day we are looking at a bright future where users will be donning headsets, haptic feedback gloves and specialized glasses or contacts to interact with both the real and digital worlds in ways only written in science fiction.
Tech like the Oculus Rift and Sony’s Project Morpheus are just the first steps being taken in an industry that has been relatively dormant for the last two decades. These devices allow for full or close-to-full immersion when watching movies, playing video games and maybe someday soon, conferencing with friends or coworkers.
In addition to the full immersion devices that are on the way to us, we currently have a large trend of devices that augment reality, such as Google Glass.
As with all advancements in technology, eventually someone will find a way to hurt people with it. In this case, when we talk about technology that can implant you in a new reality, there is going to be a market for cyber criminals to modify that reality for their own gain.
First we are going to talk about Immersive threats, which means the possible dangers associated with future full immersion technology (making it feel like you are somewhere you aren’t). I can say for certain that this kind of technology is going to be well funded, quickly developed and widely accepted. I say this because most of the efforts being put forth to develop this tech is being done so in the name of gaming.
Gaming has historically been one of the greatest motivators of technological advancement, from graphics cards to processors to peripherals like your mouse or keyboard. Sure enough, we are going to see this technology adapted for other purposes after video games have made it the standard. When that happens though, you can be sure that the cyber criminals will be waiting to pounce.
Our first threat is one that everyone is already familiar with — the ransomware lock screen. This method has been used by ransomware for years. Usually it’s nothing more than text that demands ransom payment. If we consider that this threat is the same as we would see on a desktop, why would it be unique to immersive tech? What if the malware accessed the output to the immersive device and was able to broadcast the ransom screen only on that device?
A simple scan of the system would most likely remove the malware, and after that, you could go back to what you were doing. The threat for this method is annoying at best.
Now we are going to step into the psychological attacks that can be performed with immersive tech, namely disturbing images flashing before your eyes.
While ransomware would leave an image shown on your device for as long as it was running, a flashing image type of attack wouldn’t even be noticed until after it has assaulted the eyes of the user. The images could be something sexual in nature or violent or maybe both.
After a few days of these images appearing on your device while in use, maybe they become more frequent and finally you are presented with popups advising you to pay the ransom if you want the visions to stop. This malware could also be removed with a scan and everything could go back to normal. However, the psychological damage that might have occurred would no doubt last much longer, with users not even sure they saw what they saw, until the malware revealed itself, they might very well believe they were losing their mind.
It’s safe to assume that many users who utilize immersive visual technology will employ the same with audio; in this case that means loud 3D sound using noise canceling headphones. Now what used to be nothing more than a childish prank using videos will become a nightmare for victims of screamer malware.
Imagine you are playing an immersive game or watching a film, focusing very closely on the content and giving it your full attention. Suddenly a frightening sight appears before your eyes and the loudest scream you have ever heard invades your ears. Most screamers only have a split-second effect on their victims using traditional monitors, the user can look away, can laugh and escape the fear moments after it happens. For users using immersive tech, the same will not be true.
Already we have seen users who have tested out devices like the Oculus Rift while playing horror video games, the same kind of games that are meant to shock and scare the player. The reaction of these players goes beyond what it would be just playing in the dark, leading to a complete breakdown of fear, unable to escape until they tear off their device.
After the initial screamer screen fades, the user can go back to what they were doing and it might be hours before another one appears. At this point the amount of fear and anxiety of another screamer could drive a person to do crazy things, like pay cyber criminals ransom.
This may also be easily removed from the system, but the guaranteed psychological damage will last a long time, resulting in nightmares and a fear to even touch their computers. A cyber criminal utilizing this method might want to demand the ransom beforehand, even warn the user of what might happen if they don’t pay. With enough victims the threat alone might just be enough.
The final threat we are going to talk about in association with immersive tech doesn’t want to be found; it will wait and very quietly whisper into your ear — malware that speaks to the user, pushing them into either mind control or madness. The same can be done with subliminal messaging, hiding an almost completely transparent message into the eyes of the user, something that is less effective with normal tech, but without the ability to look away it becomes dangerous.
Depending on how the cyber criminals want to go, they could take up requests from less reputable companies to advertise their products, or they could just simply whisper madness. The criminals could then offer the user a way out by selling pills or some other kind of therapy that will “cure them.” After which they simply turn off the whispers until the time comes when they need more money.
So now that we have looked into the threats associated with immersive tech and the kind of power being given to a cyber criminal who infects a user using these devices, we can say that most of the attacks will be aimed at torturing the user psychologically, considering they have their complete attention.
What about augmented reality, though? Things like Google Glass? Well in that case you’ve got a completely different set of threats, although many of these might seem familiar to the desktop world. In reality they are able to steal, extort and spy with greater reach than they were ever allowed on a normal PC.
Stealing Private Moments and then Selling Them
One of the key components of Augmented Reality (AR) tech is its ability to facilitate interaction with the real world in new ways. This means that in order to provide digital content overlayed on the real world, these devices require the use of cameras.
A camera attached to an AR device that is attached to you can be a very dangerous thing. Consider if you will, malware that can use said camera to take pictures during a user’s most private times. These instances are never meant to be seen by the public, but by using the connections to social media these devices will no doubt have available, a cyber criminal can post these pictures onto the user’s social media whenever they want. Of course the most likely scenario would be if the user refused to pay a ransom.
A proof-of-concept spyware for the Google Glass has already been created by some researchers so this threat is much more of a reality than anything else I have talked about so far.
In addition to taking pictures and recording video, AR devices will be able to record sound for you. The upside of this is taking mental notes, communicating with the device hands-free and maybe even recording a song you hear on the radio to identify it later. The downside is that malicious software could record all of your juicy conversations for things like espionage or even identity theft.
On the other side of the coin, built-in voice recognition software could be used to identify common product names or themes in your conversation and therefore used to tailor ads presented to you, which would be bad if that kind of thing bothered you.
Stealing Credit Card and Pin Numbers
Obviously a huge threat of malware running on an AR device would be grabbing personal information while it watched you go about your day. In this case, all the cyber criminal needs to do is wait for you to look at your credit card to steal the numbers; alternatively they can wait until you access an ATM to figure out what your PIN is. Then by using your personal information, they could recreate your credit card and take out a chunk of cash from your account.
Alternatively, they could use your credit card information and an analysis of your signature (also obtained from taking pictures where you look) to use your credit card while also copying your signature.
Basically, the cyber criminals will be able to capture every aspect of your life and completely take it over. They can steal your Social Security number, birth date, addresses and family information. Of course the best course of action is to turn off these devices while you’re doing anything of a personal or secure nature. However, what happens when augmented reality goes beyond wearing a device on our face but having one implanted into our bodies?
Altering reality in a very negative way
The final threat associated with augmented reality in the near future is the very thing the devices were designed to do — augment reality. The selling point of this technology is to make real life more functional from a digital point of view, which means GPS mapping, image and sound recognition, biometric monitoring and of course showing the user a world beyond what is actually there.
Now imagine if malware had access to all of these functions and was running on your augmented device. What if you were using AR tech to navigate your vehicle? You might find yourself driving into a wall. At the same time, what if AR was used to make an occupied lane, suddenly unoccupied, sending the user crashing into another driver?
Depending on the field of vision from the AR tech, the possibilities are endless: Full eye covering could blind, confuse and misdirect a user, while something like Google Glass might just be used to capture the attention of the user at inconvenient times or even provide false information.
With all of the possible threats, should we just abandon our efforts to create immersive or augmented realities? Absolutely not! The benefits of this technology far outweigh any risks that can only be present if the developers of this technology fail to take due diligence in their engineering.
Technology, historically, has moved at a very fast speed, usually with the unfortunate result of the tech including security holes and vulnerabilities that are used later by malicious actors. For as badly as I know that many of us (myself included) want this technology, I think it is far more important to take the proper time needed to make sure it can’t be abused, because the danger of having exploitable technology attached to your face is far greater than not having access to Facebook due to ransomware.