The Wolves of Virtual Reality’s Eternal September
This is the second article (in a series) on issues that face the virtual reality community as it enters a period of rapid and sustained growth. If you need additional context, please begin with the first article in the series, “Before the Eternal September of Virtual Reality“.
Along with a massive influx of new users, how much thought have we given to malicious actors entering the fold?
Griefers aren’t anything new to virtual worlds. In last year’s article, Griefing and the Metaverse, we explored some of the problems that persistent virtual worlds have faced. In recent history, our new virtual reality applications have had precious little exposure to malicious actors. We can expect our isolation to end as more people begin to own VR hardware.
Developers, are you validating inputs on the client side and the server side? Are you hardening your multiuser code against those who would intercept and change their own network packets in-flight, or modify variables inside of application memory? Are you even creating an audit trail of anomalous events? Probably not. Very quickly, we’re going to attract the sort of crowd which will exploit such opportunities.
Security software like PunkBuster and VAC haven’t had much of a role in modern-day virtual reality applications. Looking into the future, we can expect them to become increasingly important in securing our shared virtual experiences.
In the end, the effects of an attack will depend on how your code uses the data. It might allow for some in-world cheats. It might force another client to visit a specific URL for cross-site scripting (or to otherwise disclose their identity). Then again, it could allow an attacker to launch any process they want and escalate their privileges using known vulnerabilities, granting complete control over another user’s PC. Secure programming techniques are critical in multiplayer code.
Look at our users, too. We tell them “Hey, I just put together a cool game. Would you mind downloading it and telling me what you think?” Sure! Why would anybody not trust a binary that is provided on a well-known virtual reality forum? It is convenient for us to issue a public call for testing, but we’ve been training the user community to accept and to engage in risky behavior. We need to find a better way to recruit testers and solicit feedback.
We also have a brand-new crop of first-time hardware manufacturers. We can only hope that they’ve been given good counsel on security issues. It is convenient to allow customers to update a device’s firmware exclusively through software, requiring no physical intervention. But couldn’t that same mechanism be used by a third party? How easy would it be for a third party to intentionally brick our devices for the lulz?
In the days of Usenet, provocateurs would enjoy great fun by creating situations that brought together two opposing groups in a heated debate. In modern times, how hard would it be for a silver-tongued troublemaker to convince religious fundamentalists that we want to invite their children into our own universe where we replace God with man himself?
Remember the presentation by Michael Abrash at the 2015 Facebook F8 conference where he tells us that “virtual reality done right truly is reality“? It may not be difficult to sell Abrash’s quotes to the religious as something far more sinister: Man’s wish to replace God’s reality with his own.
You may find these scenarios to be alarmist, and for that, I’d be forgiving. Today, the wolf population is nearly undetectable if not zero. Our small community simply doesn’t have this problem today, but we’ve been served notice that this is about to change. As we quickly scale to 100,000 users… to 1,000,000 users… we have serious reason to be concerned. Our defenses have barely been tested, if at all.
Wolves can come in many forms. What other sources of grief should the virtual reality community be mindful of?
UPDATE 4/25/2015: I have come across a related article, “Are metaverse pioneers making the same old security mistakes?”
Thanks to Shawn of Convrge for some post-publication feedback. The final article in the series is entitled “A Call for Shepherds in the Virtual Reality Community“.
- Augmented reality
- Data Collection
- Intellectual Property
- Science Fiction
- Second Life
- Virtual home