AR and VR Security - What's the big deal?
At IVEA Consulting, we focus on the security of immersive technologies, specifically augmented reality (AR) and virtual reality (VR). Some of my colleagues question this focus and I often hear "Dude, seriously? It's just technology, so what's different about it?". There's a backstory of how I got to this point, and here's the short version: back in 2005, as a student at the Naval Postgraduate School, I wrote my thesis on using immersive virtual environments (at the time, Second Life) to influence the behaviors of our adversaries. Now, almost 15 years later, AR and VR are entering the market. So it is important that we properly protect these systems AND the users.
Immersive technologies are the next level of computing technology to enter the market, beyond mobile and desktop computers. We are going to see some awesome use cases and I truly believe these technologies will be life-changing. Pretty cool, huh? And while there is a lot that is the same as existing IT, there is also quite a bit different. These immersive technologies will require a new approach to security because of these differences, and we'll get to that. Bear with me as I build this up.
Data, Data, Data
Computers have always “known” things about their users. Desktop computers and laptops contain files full of information. They don’t necessarily contain information directly about the user, but they do contain information related to users like calendar appointments or directories with contact information. If obtained by a third-party, a reasonable persona can be developed about the user based on the data available. Someone could know who your friends are, who you're meeting, when you're meeting them, and the likes. Add in emails and browser history information, and all that information together paints a general idea of “you”. So much so that marketers (and even some nation states and foreign actors) have already taken advantage of this with targeted marketing ads based on information contained on your computer. General security controls have been put into place to protect the data entering, leaving, or stored on these devices, but some of the data, like browser history, isn't protected.
Then comes mobile computing. All of the above is still true with mobile technologies, but phones add a layer of fidelity and completeness to that data. Your phone knows your location, is listening to you, and stores other, more intimate information about your life including pictures, video, voice, and even biometric data. Compounding this, a smartphone is a daily companion. It's an alarm clock and a workout partner in the morning, a day planner providing weather and daily schedule information, a rideshare partner, a primary communication device, a gateway to networks, and it even provides entertainment. Your phone knows a lot about you. This time, the data is a combination of general and specific information allowing potentially malicious actors to paint a more detailed picture of “you”.
So what sets immersive technologies apart from traditional and mobile technologies? As my colleagues would say, immersive technologies such as AR and VR are just computers that you wear on your head. These devices contain processors, they store and transmit data, they have communications equipment, storage media, etc, and they are mobile. So why should we approach the security of these devices differently than mobile and traditional computers? We already have controls in place to secure these types of technologies.
Immersive technologies are more personal than either traditional desktop and laptop computers and mobile devices. This is due to their immersive nature as well as to the type of data collected and used to create immersive experiences. This data is specifically about and for you, the user. Examples of data required and collected across immersive applications include location data, eye scan, gaze location, and biorhythmic information such as heart-rate and brainwave data. This data is intensely more personal than any information collected by computers and mobile devices. It needs to be protected, and it will obviously take new resources to do so.
"So hold on, you want me to protect data at the cost of a delay in my schedule and a potential loss of revenue? But...but, I have customers waiting for my cool new VR app that does so many incredible things. Did I mention its VR? And my customers are waiting? " -Anonymous
In other words, as a tradeoff to get to market, security is often overlooked. We've seen it before in other tech products (I'm looking at you, IoT). But there is so much personal data associated with immersive technologies, we can't just skip this part. And we don't have to, NIST has some protections prescribed already, and HIPAA offers guidance, even if it doesn't legally apply to immersive technologies.
The stuff that makes these technologies immersive also creates threats that traditional IT security won't cover. Immersion, for the sake of this conversation, is about the users being provided useful, relevant information in a manner that all but makes the provided information disappear from the user's conscious. In other words, using the device is so natural, and the information it is providing is so timely, relevant and unobtrusive, that despite being digital in nature, it too seems like a natural part of the users' physical world. This immersion creates an underlying psychological connection between you and the technology. Immersive technologies become an extension of you, more so than even a mobile device. When immersive systems are hacked, like a computer or mobile device, the data is subject to interception, manipulation, or denial. The difference here is that when hackers break into immersive systems (consisting of the hardware, middleware, apps, and third-party cloud-based system) it can have some pretty negative consequences for the user and organizations alike. Malicious actors could cause physical harm to users. This can range from simulator sickness resulting from poorly configured or programmed VR head-mounted displays to bumping into walls, tumbling down stairs, or walking into oncoming traffic while using AR systems. There’s also the potential to cause psychological harm through negatively influencing user behaviors and decisions or alter the moods of users.
There are bodies of research looking at how interactions in immersive environments affect people and how these environments can affect behaviors. Take Captology for example. Dr. BJ Fogg from Stanford University conducted research on how computers act as persuasive technologies. By acting in one of three modalities, a tool, a media, or a social actor, computers can influence people behaviors. Computers are inherently seen as trustworthy just because they are computers and are considered intelligent. This intelligence gets translated into power and influence, both of which can be wielded over a user. Another body of research conducted by Dr. Jeremy Bailenson of the Virtual Human Interaction Lab (VHIL) at Stanford discusses, among other things, the ability for an immersive environment to transform social interactions through changing appearances of users' avatars, allowing the environment to track user data, and through changing the immersive environment itself. Protecting against these potential issues will involve more than just technical knowledge. It will require understanding how colors choices and other design considerations affect people, how presenting information in a specific order can lead people to an outcome, how changing the order of information presented to users can result in different outcomes, how avatars can be designed to be influential, and how that design can be personalized for every user, and how manipulating an avatar or the environment in a VR setting can build trust and thus influence. Our existing security methodologies do not account for these potentialities. We need a new approach to security immersive technologies.
At IVEA Consulting, our methodology takes into account traditional IT security, enhanced PII protection, and protection against influence to holistically protect immersive systems and users. If you're interested in learning more, reach out to us. We love talking AR and VR and want to help ensure your user's experience is how you expect it to be.