Back to Top

Pakko De La Torre // Creative Director

Security and Privacy Risks in Virtual and Augmented reality — Techendo

What is augmented reality and virtual reality?

Augmented reality (AR, augmented reality) and virtual reality (VR, virtual reality) are closely related, but they are not the same thing. Augmented reality enhances or “augments” the real world by adding digital elements to it: visual, audio or sensory. One of the most famous examples of augmented reality in recent times is the popular game Pok√©mon Go.

Virtual reality, on the other hand, adds nothing to the existing world, but creates its own cyber environment. Interfaces such as a headset or glasses are usually used to interact with virtual reality, rather than viewing content on a screen.

Mixed reality (MR, mixed reality) is similar to augmented reality, but goes even further: mixed reality implements a projection of three-dimensional digital content that takes into account space and is responsive. Mixed reality allows interaction and manipulation of both physical and virtual objects and environments: for example, a virtual ball can bounce off a real table or wall.

The general term for virtual, augmented and mixed reality is extended reality (XR, extended reality). The global market for augmented reality hardware, software and services is growing every year. But the rapid growth of these technologies also forces us to think about the associated privacy and security issues.

Security and privacy issues in augmented reality

The challenges of augmented reality

One of the major dangers of augmented reality has to do with privacy. User privacy is at risk because augmented reality technology allows you to see what users are doing. Augmented reality collects much more information about who the user is and what they do than even with social media and other technologies. This raises the following concerns and questions:

Unreliable content.

Augmented reality browsers simplify the process itself, but content is created and provided by third-party vendors and applications. Consequently, there is the issue of content reliability, as augmented reality is a relatively new field and the mechanisms for generating and delivering content are still evolving. Sophisticated hackers can spoof users’ augmented reality with their own, misleading them with deliberately false information.

Even if the source of the content is reliable, the content itself may be unreliable due to various cyberattacks, such as spoofing, sniffing and data manipulation.

Social engineering

Given the potential unreliability of content, augmented reality systems can be an effective tool to deceive users as part of social engineering attacks. For example, attackers can distort users’ perception of reality by using fake pointers and screens, and make them act in their own interests.


Augmented reality hackers can inject malicious content into apps through ads. Unsuspecting users click ads that lead to augmented reality sites or servers infected with malware and containing unreliable ads, undermining augmented reality security.

Stealing network credentials

Attackers can steal network credentials from wearable Android devices. For merchants using augmented and virtual reality payment apps, the hack can pose a real cyber threat, as many customers have already registered card and mobile payment app data on their profiles. Attackers can gain access to these accounts and quietly consume all of their resources because such devices make mobile payments so much easier.

Denial-of-service attacks

Another type of potential security threat in augmented reality is denial-of-service. As an example, users using augmented reality for work may be suddenly disconnected from the flow of information. This is especially critical for professionals who use this technology to perform tasks in critical situations where lack of access to information can have serious consequences: for example, a surgeon unexpectedly losing access to important information coming in real time to his augmented reality glasses, or a driver suddenly losing sight of the road because his augmented reality windshield turns into a black screen.

Man-in-the-Middle attacks

Network attackers can intercept data sent between the browser and the augmented reality provider, augmented reality channel owners, and third-party servers. This can lead to man-in-the-middle attacks.

Attackers can gain access to an augmented reality device and record user behavior and actions in the augmented reality environment. They can then threaten to publish these recordings if the user doesn’t pay a ransom. This can compromise users who do not want their augmented reality games and other activities made public.

Physical damage

One of the most significant security vulnerabilities with augmented reality wearable devices is physical damage. Some wearable devices are more durable, others less so, but all devices have physical vulnerabilities. Keeping them functional and secure is an important consideration. For example, a headset can easily be lost or stolen.

Security issues and threats in virtual reality

Security threats in virtual reality are somewhat different from those in augmented reality because virtual reality is limited to closed environments and does not involve interaction with the real physical world. Nevertheless, virtual reality headsets cover the user’s entire field of view, which can be dangerous if attackers gain control of the device: their manipulation of content can make the user dizzy or nauseous.

Virtual reality issues

Privacy is a serious problem for both augmented and virtual reality. A key privacy issue in virtual reality is the inherently personal nature of the data collected because it is biometric: iris or retina scans, finger and handprints, facial geometry, and voice spectrum. Examples of such data:

Finger tracking. In the virtual world, the user makes the same hand gestures as in the real world, such as entering a code on a virtual keyboard with his fingers. In doing so, the system records and transmits finger tracking data showing how the fingers enter the PIN. If an attacker can intercept this data, they can recreate the user’s PIN.

Gaze tracking. Some virtual and augmented reality headsets can also include gaze tracking. This data can be used by attackers. Understanding exactly where the user is looking gives an attacker valuable information that will allow him to recreate the user’s actions.

Anonymizing data from virtual and augmented reality activity tracking is nearly impossible because each person makes a unique set of movements. Behavioral and biometric information collected with virtual reality headsets has allowed researchers to identify users with a very high degree of accuracy, which is a real problem when virtual reality systems are hacked.

Similar to zip codes, IP addresses, and voice spectra, data from virtual and augmented reality activity tracking can be viewed as personally identifiable information because it can be used to identify and track a person, either alone or in combination with other personal or identifying data. Therefore, privacy in virtual reality is a serious concern.

Attackers can also embed features in virtual reality platforms that mislead users and force them to reveal personal information. As with augmented reality, this creates opportunities for ransomware attacks that disrupt the platform and then result in ransom demands.

Identity spoofing (deepfakes)

Machine learning technologies make it possible to manipulate voices and videos in such a way that they are indistinguishable from the real thing. If an attacker can access the motion tracking data from a virtual reality headset, they can use it to create a digital model (deepfake), undermining the reliability of virtual reality. The model created can then be overlaid on another person’s virtual reality actions and conduct a social engineering attack.

In addition to cybersecurity issues, one of the main dangers of virtual reality is the complete blockage of the user’s visual and auditory connection to the outside world. It is always important to assess the physical security and security of the user’s environment first. This also applies to augmented reality, where users must be as aware of their surroundings as possible, especially in immersive environments.

Other problems associated with virtual reality, which critics often see as its shortcomings, include:

Examples of augmented and virtual reality

The applications of augmented reality, virtual reality and mixed reality are varied and continue to expand. They include:

Virtual and augmented reality technologies are also used in more serious areas. For example, the U.S. Army uses them to digitally optimize training missions for soldiers, and in China they are used by police to identify suspects.

Oculus privacy issues

Oculus is one of the most famous virtual reality headsets and one of the few companies actively supporting the development of virtual reality games. Facebook acquired Oculus in 2014, and in 2020 announced that future virtual reality headsets would require Facebook credentials. This development sparked a heated debate about Oculus’ privacy.

Opponents of such a decision were concerned about how Facebook collects, stores and uses the data, and possibly applies it in targeted advertising. They were also criticized for forcing users to choose services they might not have chosen otherwise. Facebook’s announcement sparked a wave of messages from privacy-conscious users concerned about Oculus security, claiming that they would no longer use the Oculus headset. However, other commenters felt that this was unlikely to hinder Oculus in the long run.

Tips: how to stay safe when using virtual and augmented reality

Don’t disclose too personal information

Don’t disclose information that is too personal and doesn’t need to be disclosed. You can create an account with your email, but you shouldn’t provide credit card information unless you’re buying something.

Read the privacy policy

It’s easy to miss important points by reading a long privacy policy and terms of use. But it’s worth finding out how companies that provide services on augmented and virtual reality platforms store data and what they do with it. Do they transfer data to third parties? What data do they collect and share?

Use a VPN

Using a VPN is one way to keep your identity and data private online. If sensitive information needs to be disclosed, using a VPN can protect that information from being compromised. By using advanced encryption and a modified IP address together, you can keep your identity and data private. The uses of VPNs are likely to expand as virtual and augmented reality evolves.

Keep your firmware up to date

It’s critical to update the firmware of virtual reality headsets and wearable augmented reality devices in a timely manner. In addition to adding new features and improving existing ones, updates help to fix security vulnerabilities.

Use a comprehensive antivirus solution

The best way to stay safe online is to use proactive cybersecurity solutions which provide reliable protection against various online threats such as viruses, malware, ransomware, spyware, phishing, and other ever-present online security threats.

This content was originally published here.