Remote Keylogging Attacks in Multi-user VR Applications

TL;DR

This paper reveals a remote keylogging attack in multi-user VR apps that exploits avatar motion data to infer user keystrokes with high accuracy, highlighting a significant privacy vulnerability and proposing a practical defense.

Contribution

It introduces a novel remote attack method using avatar motion data to extract keystrokes in multi-user VR, and demonstrates its effectiveness and generalizability across applications.

Findings

97.62% keystroke inference success rate

Effective even with multiple users and unseen victims

Proposed defense adopted by major VR platforms

Abstract

As Virtual Reality (VR) applications grow in popularity, they have bridged distances and brought users closer together. However, with this growth, there have been increasing concerns about security and privacy, especially related to the motion data used to create immersive experiences. In this study, we highlight a significant security threat in multi-user VR applications, which are applications that allow multiple users to interact with each other in the same virtual space. Specifically, we propose a remote attack that utilizes the avatar rendering information collected from an adversary's game clients to extract user-typed secrets like credit card information, passwords, or private conversations. We do this by (1) extracting motion data from network packets, and (2) mapping motion data to keystroke entries. We conducted a user study to verify the attack's effectiveness, in which our attack successfully inferred 97.62% of the keystrokes. Besides, we performed an additional experiment to underline that our attack is practical, confirming its effectiveness even when (1) there are multiple users in a room, and (2) the attacker cannot see the victims. Moreover, we replicated our proposed attack on four applications to demonstrate the generalizability of the attack. Lastly, we proposed a defense against the attack, which has been implemented by major players in the VR industry. These results underscore the severity of the vulnerability and its potential impact on millions of VR social platform users.