Security

Immersive Infections

Comment

Google Glass wearable tech
Image Credits:

Adam Kujawa

Contributor

More posts from Adam Kujawa

Editor’s note: Adam Kujawa is a computer scientist with over nine years’ experience in reverse engineering and malware analysis. He has worked at a number of United States federal and defense agencies, helping these organizations reverse engineer malware and develop defense and mitigation techniques. He is currently head of Malware Intelligence for Malwarebytes.

Using your imagination, put yourself on top of a tall mountain, watching the most beautiful sunset over the clouds, all while mounted on your trusty dragon. Now you’re on a spaceship, traveling at hyperspeed toward an unknown planet full of mystery and danger. Finally you’re sitting across the table from your spouse who you haven’t seen in person in over a year, you both move in for a kiss when suddenly the world goes dark and you are staring right at the most horrific and violent images you have ever seen. Do you want to return to your romantic dinner? Well that will be $200.

All of the images I painted for you above will be possible within the next 10 years, immersive technology will put the user into the digital shoes of their own avatars, experiencing video games, simulations, learning opportunities and even romance on new levels, so it goes without saying that while we can expect all that grandeur, there will be people who try to ruin it, for money.

Current Tech

Our current technology mainly consists of interaction with an interface device, such as a keyboard, mouse and even touch screen, and a method for displaying data (i.e. your monitor); the feeling of full immersion isn’t possible — not yet anyway. With new technologies being developed every day we are looking at a bright future where users will be donning headsets, haptic feedback gloves and specialized glasses or contacts to interact with both the real and digital worlds in ways only written in science fiction.

Immersive1
Worth it.

Tech like the Oculus Rift and Sony’s Project Morpheus are just the first steps being taken in an industry that has been relatively dormant for the last two decades. These devices allow for full or close-to-full immersion when watching movies, playing video games and maybe someday soon, conferencing with friends or coworkers.

In addition to the full immersion devices that are on the way to us, we currently have a large trend of devices that augment reality, such as Google Glass.

Future Threat

As with all advancements in technology, eventually someone will find a way to hurt people with it. In this case, when we talk about technology that can implant you in a new reality, there is going to be a market for cyber criminals to modify that reality for their own gain.

Immersive Threats

First we are going to talk about Immersive threats, which means the possible dangers associated with future full immersion technology (making it feel like you are somewhere you aren’t). I can say for certain that this kind of technology is going to be well funded, quickly developed and widely accepted. I say this because most of the efforts being put forth to develop this tech is being done so in the name of gaming.

Wearable tech

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Gaming has historically been one of the greatest motivators of technological advancement, from graphics cards to processors to peripherals like your mouse or keyboard. Sure enough, we are going to see this technology adapted for other purposes after video games have made it the standard. When that happens though, you can be sure that the cyber criminals will be waiting to pounce.

Lock Screens

Our first threat is one that everyone is already familiar with — the ransomware lock screen. This method has been used by ransomware for years. Usually it’s nothing more than text that demands ransom payment. If we consider that this threat is the same as we would see on a desktop, why would it be unique to immersive tech? What if the malware accessed the output to the immersive device and was able to broadcast the ransom screen only on that device?

Augmented immersive tech

 

 

 

 

 

 

 

 

 

 

 

 

A simple scan of the system would most likely remove the malware, and after that, you could go back to what you were doing. The threat for this method is annoying at best.

Flashing Images

Now we are going to step into the psychological attacks that can be performed with immersive tech, namely disturbing images flashing before your eyes.

While ransomware would leave an image shown on your device for as long as it was running, a flashing image type of attack wouldn’t even be noticed until after it has assaulted the eyes of the user. The images could be something sexual in nature or violent or maybe both.

Augmented immersive tech
Basically the opposite of this.

After a few days of these images appearing on your device while in use, maybe they become more frequent and finally you are presented with popups advising you to pay the ransom if you want the visions to stop. This malware could also be removed with a scan and everything could go back to normal. However, the psychological damage that might have occurred would no doubt last much longer, with users not even sure they saw what they saw, until the malware revealed itself, they might very well believe they were losing their mind.

Screamers

It’s safe to assume that many users who utilize immersive visual technology will employ the same with audio; in this case that means loud 3D sound using noise canceling headphones. Now what used to be nothing more than a childish prank using videos will become a nightmare for victims of screamer malware.

Immersive tech
(Image credit: Saturday Night Live, NBC Universal)

Imagine you are playing an immersive game or watching a film, focusing very closely on the content and giving it your full attention. Suddenly a frightening sight appears before your eyes and the loudest scream you have ever heard invades your ears. Most screamers only have a split-second effect on their victims using traditional monitors, the user can look away, can laugh and escape the fear moments after it happens. For users using immersive tech, the same will not be true.

Already we have seen users who have tested out devices like the Oculus Rift while playing horror video games, the same kind of games that are meant to shock and scare the player. The reaction of these players goes beyond what it would be just playing in the dark, leading to a complete breakdown of fear, unable to escape until they tear off their device.

After the initial screamer screen fades, the user can go back to what they were doing and it might be hours before another one appears. At this point the amount of fear and anxiety of another screamer could drive a person to do crazy things, like pay cyber criminals ransom.

This may also be easily removed from the system, but the guaranteed psychological damage will last a long time, resulting in nightmares and a fear to even touch their computers. A cyber criminal utilizing this method might want to demand the ransom beforehand, even warn the user of what might happen if they don’t pay. With enough victims the threat alone might just be enough.

Whispers

The final threat we are going to talk about in association with immersive tech doesn’t want to be found; it will wait and very quietly whisper into your ear — malware that speaks to the user, pushing them into either mind control or madness. The same can be done with subliminal messaging, hiding an almost completely transparent message into the eyes of the user, something that is less effective with normal tech, but without the ability to look away it becomes dangerous.

Immersive tech
I NEED CHEESEBURGERS!

Depending on how the cyber criminals want to go, they could take up requests from less reputable companies to advertise their products, or they could just simply whisper madness. The criminals could then offer the user a way out by selling pills or some other kind of therapy that will “cure them.” After which they simply turn off the whispers until the time comes when they need more money.

Augmented Tech

So now that we have looked into the threats associated with immersive tech and the kind of power being given to a cyber criminal who infects a user using these devices, we can say that most of the attacks will be aimed at torturing the user psychologically, considering they have their complete attention.

Immersive tech

What about augmented reality, though? Things like Google Glass? Well in that case you’ve got a completely different set of threats, although many of these might seem familiar to the desktop world. In reality they are able to steal, extort and spy with greater reach than they were ever allowed on a normal PC.

Stealing Private Moments and then Selling Them

One of the key components of Augmented Reality (AR) tech is its ability to facilitate interaction with the real world in new ways. This means that in order to provide digital content overlayed on the real world, these devices require the use of cameras.

A camera attached to an AR device that is attached to you can be a very dangerous thing. Consider if you will, malware that can use said camera to take pictures during a user’s most private times. These instances are never meant to be seen by the public, but by using the connections to social media these devices will no doubt have available, a cyber criminal can post these pictures onto the user’s social media whenever they want. Of course the most likely scenario would be if the user refused to pay a ransom.

Immersive tech
Grandpa stopped following you on Facebook that day.

A proof-of-concept spyware for the Google Glass has already been created by some researchers so this threat is much more of a reality than anything else I have talked about so far.

Recording Conversations

In addition to taking pictures and recording video, AR devices will be able to record sound for you. The upside of this is taking mental notes, communicating with the device hands-free and maybe even recording a song you hear on the radio to identify it later. The downside is that malicious software could record all of your juicy conversations for things like espionage or even identity theft.

Immersive tech

On the other side of the coin, built-in voice recognition software could be used to identify common product names or themes in your conversation and therefore used to tailor ads presented to you, which would be bad if that kind of thing bothered you.

Stealing Credit Card and Pin Numbers

Obviously a huge threat of malware running on an AR device would be grabbing personal information while it watched you go about your day. In this case, all the cyber criminal needs to do is wait for you to look at your credit card to steal the numbers; alternatively they can wait until you access an ATM to figure out what your PIN is. Then by using your personal information, they could recreate your credit card and take out a chunk of cash from your account.

Immersive tech

Alternatively, they could use your credit card information and an analysis of your signature (also obtained from taking pictures where you look) to use your credit card while also copying your signature.

Basically, the cyber criminals will be able to capture every aspect of your life and completely take it over. They can steal your Social Security number, birth date, addresses and family information. Of course the best course of action is to turn off these devices while you’re doing anything of a personal or secure nature. However, what happens when augmented reality goes beyond wearing a device on our face but having one implanted into our bodies?

Altering reality in a very negative way

The final threat associated with augmented reality in the near future is the very thing the devices were designed to do — augment reality. The selling point of this technology is to make real life more functional from a digital point of view, which means GPS mapping, image and sound recognition, biometric monitoring and of course showing the user a world beyond what is actually there.

Now imagine if malware had access to all of these functions and was running on your augmented device. What if you were using AR tech to navigate your vehicle? You might find yourself driving into a wall. At the same time, what if AR was used to make an occupied lane, suddenly unoccupied, sending the user crashing into another driver?

Immersive tech
“Wow, not a car in sight! This trip is going to be smooth!”

Depending on the field of vision from the AR tech, the possibilities are endless: Full eye covering could blind, confuse and misdirect a user, while something like Google Glass might just be used to capture the attention of the user at inconvenient times or even provide false information.

Conclusion

With all of the possible threats, should we just abandon our efforts to create immersive or augmented realities? Absolutely not! The benefits of this technology far outweigh any risks that can only be present if the developers of this technology fail to take due diligence in their engineering.

Technology, historically, has moved at a very fast speed, usually with the unfortunate result of the tech including security holes and vulnerabilities that are used later by malicious actors. For as badly as I know that many of us (myself included) want this technology, I think it is far more important to take the proper time needed to make sure it can’t be abused, because the danger of having exploitable technology attached to your face is far greater than not having access to Facebook due to ransomware.

More TechCrunch

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

1 day ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Slack under attack over sneaky AI training policy

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Healthcare company WebTPA discloses breach affecting 2.5 million people

Featured Article

Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Microsoft won’t be facing antitrust scrutiny in the U.K. over its recent investment into French AI startup Mistral AI.

1 day ago
Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Ember has partnered with HSBC in the U.K. so that the bank’s business customers can access Ember’s services from their online accounts.

Embedded finance is still trendy as accounting automation startup Ember partners with HSBC UK

Kudos uses AI to figure out consumer spending habits so it can then provide more personalized financial advice, like maximizing rewards and utilizing credit effectively.

Kudos lands $10M for an AI smart wallet that picks the best credit card for purchases

The EU’s warning comes after Microsoft failed to respond to a legally binding request for information that focused on its generative AI tools.

EU warns Microsoft it could be fined billions over missing GenAI risk info

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’

U.K.-based Seraphim Space is spinning up its 13th accelerator program, with nine participating companies working on a range of tech from propulsion to in-space manufacturing and space situational awareness. The…

Seraphim’s latest space accelerator welcomes nine companies

OpenAI has reached a deal with Reddit to use the social news site’s data for training AI models. In a blog post on OpenAI’s press relations site, the company said…

OpenAI inks deal to train AI on Reddit data

X users will now be able to discover posts from new Communities that are trending directly from an Explore tab within the section.

X pushes more users to Communities

For Mark Zuckerberg’s 40th birthday, his wife got him a photoshoot. Zuckerberg gives the camera a sly smile as he sits amid a carefully crafted re-creation of his childhood bedroom.…

Mark Zuckerberg’s makeover: Midlife crisis or carefully crafted rebrand?

Strava announced a slew of features, including AI to weed out leaderboard cheats, a new ‘family’ subscription plan, dark mode and more.

Strava taps AI to weed out leaderboard cheats, unveils ‘family’ plan, dark mode and more

We all fall down sometimes. Astronauts are no exception. You need to be in peak physical condition for space travel, but bulky space suits and lower gravity levels can be…

Astronauts fall over. Robotic limbs can help them back up.

Microsoft will launch its custom Cobalt 100 chips to customers as a public preview at its Build conference next week, TechCrunch has learned. In an analyst briefing ahead of Build,…

Microsoft’s custom Cobalt chips will come to Azure next week

What a wild week for transportation news! It was a smorgasbord of news that seemed to touch every sector and theme in transportation.

Tesla keeps cutting jobs and the feds probe Waymo

Sony Music Group has sent letters to more than 700 tech companies and music streaming services to warn them not to use its music to train AI without explicit permission.…

Sony Music warns tech companies over ‘unauthorized’ use of its content to train AI

Winston Chi, Butter’s founder and CEO, told TechCrunch that “most parties, including our investors and us, are making money” from the exit.

GrubMarket buys Butter to give its food distribution tech an AI boost

The investor lawsuit is related to Bolt securing a $30 million personal loan to Ryan Breslow, which was later defaulted on.

Bolt founder Ryan Breslow wants to settle an investor lawsuit by returning $37 million worth of shares