"Rutgers Researchers Discover Security Vulnerabilities in Virtual Reality Headsets"
Researchers at Rutgers University-New Brunswick studied how voice command features provided by Virtual Reality (VR) and Augmented Reality (AR) headsets could lead to eavesdropping attacks. Their study found that hackers could steal sensitive information such as credit card data and passwords communicated via the voice command features of popular (AR/VR) headsets with built-in motion sensors to record subtle speech-associated facial dynamics. They developed an eavesdropping attack called Face-Mic to highlight the existence of vulnerabilities in AR/VR headsets. According to the leader of the study, Yingying Chen, Face-Mic is the first work to infer private and sensitive information through the use of facial dynamics associated with live human speech while using face-mounted AR/VR devices. The researchers demonstrated the performance of a Face-Mic attack to derive a headset wearer's sensitive information with Oculus Quest, HTC Vive Pro, and other mainstream AR/VR headsets. They studied three types of vibrations captured by motion sensors on the AR/VR headsets, including speech-associated facial movements, bone-borne vibrations, and airborne vibrations, finding that both cardboard headsets and high-end headsets contain security vulnerabilities that could expose a user's sensitive speech and speaker information without permission. This article continues to discuss the findings from the study on how hackers could use AR/VR headsets to steal sensitive information communicated via voice command features.