Cybersecurity

Does virtual and augmented reality mean augmented cybercrime too?

Virtual and augmented reality introduce intriguing new opportunities for innovation across many industry sectors, but what are the security risks and how can we overcome them?

Share article

Person wearing augmented reality (AR) glasses reaches out and touches a virtual version of themselves.

Not so long ago, augmented reality (AR) and virtual reality (VR) were the stuff of science fiction. Now they’ve become more than just niche experimental technologies. They’re rapidly entering the mainstream, particularly in the consumer world of interactive media. But it’s not just things like video games that are being transformed by the rise of VR platforms – there are some promising business cases for AR and VR too. In fact, some experts estimate that they will become indispensable technologies in the business world by as early as 2025.

What is augmented and virtual reality?

Although augmented and virtual reality are closely related, they’re not the same thing. AR ‘augments’ the real world around the user by adding digital elements to the real-world view. Perhaps the most familiar example is the mobile game Pokémon Go, as well as less successful products like the infamous Google Glass. VR, by contrast, provides a far more immersive experience, since it relies on shutting out the physical world entirely. Popular VR devices include gaming platforms like HTC Vive and Oculus Rift, as well as lower-tech and more affordable experiences like those offered by Google Cardboard. Another term you’ll encounter is mixed reality (MR), which refers to experiences that combine elements of both VR and AR. One of the best-known examples is Microsoft HoloLens, an MR platform designed specifically for business applications.

What are the business applications of augmented and virtual reality?

Rapid prototyping

One of the most promising applications is product prototyping, a process which involves creating a complete digital model of a product (or, a so-called digital twin) and merging it with a VR experience. This allows for extensive testing and ideation without the high costs of developing multiple physical prototypes.

Employee training

Another popular business application, and one that’s already entering mainstream use, is employee training. By applying VR or AR to training programs, it’s possible to build a safe and highly interactive simulated environment with real-time feedback. Similarly, AR and VR can help improve workplace safety, especially in hazardous environments, be they workshop floors or nuclear reactors. AR can also help workers assemble, operate and maintain complex machines by providing real-time information overlaid onto their headsets.

These are just a few of the exciting applications of augmented and virtual reality. And, though they might still sound like science fiction to the layperson, they’re actually not. Companies like Ford, Airbus and Sotheby’s are already using them.

The wearable camera problem

Augmented reality headsets depend on their abilities to understand the local environment, which means cameras are often essential components and they can pose a security risk. Ever since the first Google Glass prototype was released to much fanfare back in 2013 (only to fail miserably by 2015), there have been growing concerns around privacy and security. The launch of Google Glass even gave rise to the colorful term ‘glasshole’, which refers to those people who behaved inappropriately while using the device (such as by spying on others and taking photos without their knowledge). But edgy names aside, this has serious implications in fields such as healthcare where organizations are subject to strict compliance regulations like HIPAA to protect patient privacy.

A new frontier for social engineering

Person standing inside another person's mouth shouting through a megaphone
Aside from privacy concerns, AR and VR devices are connected like any other. They’re part of a rapidly growing global network that’s often dubbed the Internet of Things (IoT). And, like any connected device, they handle the transmission and storage of data, which might be misappropriated by hackers. When it comes to the immersive experiences of AR and VR, this has especially worrying potential in corporate espionage and social engineering. When technology can reach the point of convincing the brain it’s somewhere where it’s not, the opportunities for taking advantage of human vulnerabilities are enormous.

As with any technology, the weakest link is normally the users themselves, which makes AR and VR a unique target for exploiting people. For example, attackers might inject features into VR platforms designed to mislead users into giving away personal information. There are also new implications for ransomware, in which attackers could sabotage platforms and interrupt important meetings before asking for a ransom.

VR and AR experiences are only going to get more immersive and more realistic. On the one hand, this might make them more engaging and widely used. On the other, it makes them more dangerous. Fake identities, or so-called ‘deepfakes‘ generated by machine-learning technologies, for example, allow for the manipulation of voices and videos to the extent they still look like genuine footage. If a hacker could access the motion-tracking data from a VR headset, they could potentially use it to create a digital replica. They could then superimpose this on someone else’s VR experience, such as an immersive business conference, to carry out a social engineering attack. With people interacting more and more through avatars, this brings an entirely new dimension to the disturbing world of cybercrime.

Data breach risks

Aside from potentially providing cybercriminals with new ways to manipulate their victims, VR and AR present all the classic cybersecurity risks too. As systems that transmit and store data, they’re fair game for anyone wanting to get their hands on the most valuable commodity in the world: personal data. They’re also possible targets for denial of service attacks (DDos), which could have very serious implications for those depending on AR in critical situations such as surgical procedures or when operating dangerous machinery.

Mitigating the risks isn’t as hard as you think

To address the risks associated with AR and VR, it’s best to start with the core principles of information security – the very same ones that should be governing the wider IT infrastructure across the organization. Although attacks against AR and VR systems manifest themselves in different ways, the technological and administrative measures used to safeguard them are similar to other forms of connected technology. They use the same protocols as any other connected device, so all the standard rules apply – include them in your risk assessments, keep firmware up to date and encrypt any sensitive data. And never take security for granted. Most AR and VR devices don’t encrypt data by default, and they may integrate with third-party apps which themselves have dubious security.

On top of all the standard measures, AR and VR present some unique challenges, particularly when it comes to physical security and safety. One of the biggest problems with VR specifically is that it completely blocks off a user’s visual and auditory connection to the outside world. It’s always important to evaluate the physical safety and security of the user’s environment first. This also applies to AR, in which it’s important for users to maintain a high degree of situational awareness, particularly in more immersive environments. And, it should go without saying, but don’t run around in a busy workspace wearing a VR headset!

Although identity and access management are central to any information security strategy and concern any device, this is an area that’s often overlooked when it comes to the adoption of AR and VR systems. You might, for example, be able to identify other people you’re working with by their avatars, but there’s also the potential risk of the avatar being copied and used by an unauthorized party. Fortunately, used in the right way, AR and VR can potentially improve identity and access management with multifactor authentication (MFA) – for example using eye-tracking sensors to verify your identity before you can access the rest of the system.

While the challenges are undeniable, so is the potential of adopting augmented and virtual reality into the workplace.

Innovate without barriers

Try Kaspersky Embedded Security today to start innovating in IoT without barriers.

About authors

Produced by the editorial team for Secure Futures by Kaspersky magazine