Security Explained: Eyes-on Oculus
24 June 2021
With VR headsets becoming more and more available, our engineers decided to see what the security is like on the Oculus systems.
Back when we started hacking and conducting penetration tests, things were much easier. Nobody knew about security, nobody took it seriously. With the rise of VR popularity, we wanted to make sure this mentality hadn’t maintained across several technological generations.
Where do we begin
Firstly, we have to establish our intent. We wanted to discover whether we could hack games on the Oculus. If the answer is yes, we wanted to know how difficult it would be.
Just like mobile phones, there’s a strange misconception that because the device isn’t strictly a computer that it can’t be hacked. Phones, VR devices, they’re basically miniature computers! They’re not special private containers, they are just devices. And any device can be attacked.
Our intention is to target the game server and its features because the people looking to abuse these games will be doing just that. The core security is what we wanted to verify.
The headset itself
As an Oculus device, we know that it’s based on Android and that any games installed would be located on the device itself.
With the Open-Source nature of an Android system, we knew where to start. From there, we were hoping to redirect the game traffic to our PC and to get an in-depth and involved look at the game files.
Can it be done?
To answer that question in short, yes absolutely. Over a quick two-hour hacking session, two of our engineers were able to gain full access to the files of any game they had. With developer mode enabled, they were able to access the directories and all files therewithin. With that, we had full access to the game executable or the ‘.APK’ file (the Android equivalent of a ‘.exe’).
How did we do it?
We used a widely accessible tool, the ADB or Android Debug Bridge. It lets us connect with Android devices and allows us to browse through the files we had gained access to.
It also lets us easily download the gaming binary, modify, and then reupload it. In no uncertain terms, this granted us full access to any modified version of the game we wanted. There were no real issues in doing this, nothing in the way.
Of course, our speciality is securing online multiplayer games. So, we wanted to intercept the traffic. As we mentioned, Android is Open-Source. Even so, we were expecting tougher resistance, it’s a design decision on Android’s part and it has its benefits. However, no one is considering security on Oculus.
Using our proprietary Man-in-the-Middle or MitM tool, we began our interception. The difference here is it wasn’t a typical computer, but it was still on the same network as the computer.
We owned the network; therefore, we passed the data onto our PC before letting it continue. We used the same method we use to penetration test mobile applications – moving the hacking process onto somewhere stable and manageable to conduct our tests.
What does this all mean?
Well, the question we posed was, “could we hack it?” The answer is absolutely yes. And from there, how difficult is it?
Unfortunately, the answer is quite easy. We were able to intercept and modify core files with remarkable ease. Additionally, it was very straightforward to intercept all incoming and outgoing traffic from the Oculus, with the aim of payload modification for security testing purposes. While it’s exciting to delve into the nature of this security, it’s unfortunate for us to find this result.
While it isn’t unsecure by design, the developer application has to be secure. And in our experience, it did not seem VR developers are aware of the vulnerabilities in their applications on VR systems. We’d like to change that and ensure a healthier, safer system for all users online.