Virtual reality headsets are touted as gateways to a whole new experience of the digital domain, yet like all connected devices they come with an inevitable hitch — a vulnerability to hackers. A new study is raising new concerns that these headsets may be highly vulnerable to potential security breaches facilitated by their hardware and interface systems.

Case in point, computer scientists at the University of California, Riverside, have shown that VR headsets can be hacked by spyware that exploits the subtleties of our body movements to steal sensitive information and breach privacy.

Augmented reality (AR) and virtual reality (VR) are poised to become the next chapter of our internet journey, enveloping us in digital landscapes that promise experiences ranging from gaming to business interactions.

These digital dimensions rely heavily on headsets that translate our physical gestures into navigational cues—turning, nodding, stepping, and blinking guide us through these parallel universes. Oculus Quest, for example, also supports voice dictation for entering web addresses, controlling the headset, and exploring commercial products. However, researchers have found that this interplay of technology leaves a back door open for potential hackers.

Researchers led by Jiasi Chen and Nael Abu-Ghazaleh revealed how malicious actors can exploit the unique interactions facilitated by these headsets. Using spyware and advanced artificial intelligence, they can covertly monitor and record users’ gestures, translating these subtle movements into words with an astonishing accuracy of 90% or higher. Hackers could potentially accurately estimate the proximity of nearby individuals within a margin of just about 4 inches (10.3 cm).

“In essence, our findings indicate that if one of the applications is compromised, it can covertly surveil other applications,” explains Abu-Ghazaleh. “This includes monitoring your surroundings, detecting the presence of people nearby and their distance, as well as uncovering your interactions within the virtual environment.”

The implications of these vulnerabilities are startling. Imagine taking a pause from an engrossing virtual game to check your Facebook messages using a virtual keyboard. The spyware could stealthily capture your keystrokes, potentially compromising sensitive information. Similarly, during a virtual meeting where confidential data is shared, the minutiae of your body movements could inadvertently leak crucial information to prying eyes.

For instance, hackers could use TyPose, a system leveraging machine learning to decipher head motion signals and automatically decipher the words or characters users are inputting. That’s quite concerning, which is why the researchers hope that their ethical hacking experiment may serve as a clarion call to the tech industry, which will hopefully work to patch these vulnerabilities.

Meta, the company behind Facebook but also Metaverse headsets like the Oculus Quest, is offering bounties of up to $300,000 to ethical hackers who can find vulnerabilities that could allow an attacker to execute malware or take control of a device.

“Our intention is to showcase the potential for attacks, and then provide the companies with a window to address these vulnerabilities before we make our findings public,” Abu-Ghazaleh asserts in a media statement.

The findings appeared in two papers (1 and 2) that were presented this week at the annual Usenix Security Symposium in Anaheim.