/VR-MitR-C2-Bigscreen

VR Man-in-the-Room Attack and Command & Control Server Proof of Concept — Bigscreen

Primary LanguageJavaScript

Man-in-the-Room Attack and Command & Control Server Proof of Concept — Bigscreen

Cyber Forensics Research & Education Group
Tagliatela College of Engineering
University of New Haven

Our team of researchers (Martin Vondráček, Peter Casey, Ibrahim Baggili) at the University of New Haven discovered that Bigscreen, a well-known and popular virtual reality (VR) application, and Unity, the game development platform BigScreen is built on, were vulnerable to hackers. Bigscreen, which describes itself as a "virtual living room", enables users to watch movies, collaborate on projects together and more. Our findings were responsibly disclosed to Bigscreen Inc. and Unity Technologies, see our research paper for details.

The allure of the metaverse along with VR technologies and speed at which they are deployed may shift focus away from security and privacy fundamentals. In this work we employ classic exploitation techniques against cutting edge devices to obtain equally novel results. The unique features of the virtual reality landscape set the stage for our primary account of a new attack, the Man-in-the-Room (MitR). This attack, realized from a vulnerable social networking application led to both worming and botnet capabilities being adapted for VR with potential critical impacts affecting millions of users. Our work improves the state-of-the-art in VR security and socio-technical research in VR. It shares several analytical and attacking tools, example exploits, evaluation dataset, and vulnerability signatures with the scientific and professional communities to ensure secure VR software development. The presented results demonstrate the detection and prevention of VR vulnerabilities, and raise questions in the law and policy domains pertaining to VR security and privacy.

Please see our video demonstration and our research paper for more details.

⚠️DISCLAIMER: This software is a part of the cyber forensic research carried out by the research group UNHcFREG@TCoE at the University of New Haven, CT, USA. This software was developed as a proof of concept Man-in-the-Room attack. Details concerning the research were kept private, the software vendor (Bigscreen, Inc.) was then contacted during responsible disclosure. No harm has been done to the official infrastructure and users. Authors assume no liability and are not responsible for any misuse or damage caused by this software. This software is intended as a proof of concept only.

The end user of this software agrees to use this software for education and research purposes only.

Screenshot: Command & Control Server Screenshot: Command & Control Server. See our video demonstration for more details.

About Bigscreen, Inc.

  • Founding Date: November 2014
  • Public Beta Launch: March 2016
  • Founder & CEO: Darshan Shankar
  • Funding: $14 Million
  • Users: 500,000+
  • Operating Systems: Windows 7, 8.1, 10
  • https://bigscreenvr.com/

Install

  • Run npm install in .\relay\ directory.
  • Compile selected payloads in .\relay\payloads\. For example cl evil.c

Run

  • Run node .\index.js in .\relay\ directory.
  • Make sure relayWebSocketServerUrl and webServerUrl configuration of the Command and Control Dashboard (index.html) corresponds to locations of the servers (index.js).
  • Open .\dashboard\index.html in a browser.

Command and control dashboard (.\dashboard\index.html) currently does not support reconnecting to zombies after page refresh. Please restart relay server (.\relay\index.js) if you refresh the panel.

Summary of discovered exploits

Type Description
Botnet Control infected Bigscreen applications from a C&C server.
RCE Independently download and execute any payload (malware, etc.) on victim’s computer.
RCE Run program on victim’s machine.
JS RCE Open remote REPL (remote Javascript eval) on victim’s machine.
Privacy violation Invisibly join any discovered VR room (includes private ones). Attacker is not visible in VR. Attacker's username is hidden from Bigscreen UI.
Privacy violation Remotely and stealthily receive victim’s screensharing, audio, microphone audio.
Privacy violation Persistently eavesdrop victim’s chat, even if they go to another room.
Phishing Ask victim to install “required VR driver”.
Privacy violation Toggle video/audio/microphone sharing.
Denial-of-service Remotely kill victim’s Bigscreen application.
Denial-of-service Kick any user from any room. Only admin should be able to do this in his room.
Denial-of-service Ban selected user until restart.
Impersonation,
Integrity violation
Force victim to send any given chat message.
Privacy violation Change signaling servers of Bigscreen application.
Privilege escalation Set selected user as room admin.
Phishing Redirect Bigscreen UI to any webpage.
Integrity violation Change room’s settings (VR locks). Only admin should be able to do this in his room.
Privacy violation Gather all victim’s logs.
Privacy violation Force victim to open screenshot directory. Attacker can see its content.
Miscellaneous Change user’s avatar.
Miscellaneous Play various sound effects from Bigscreen UI.

Limitations of current implementation

  • Peer connection intended for multimedia transport currently does not support fallback to TURN servers. Support for STUN servers was sufficient for this proof of concept. With support for STUN servers, we were able to connect with users across Internet without complications.
  • Peer connection establishment is currently supported only with participants who are already in the room. This command & control dashboard does not initiate the connection but accepts incoming connections. This was sufficient for this proof of concept
  • Command and control dashboard currently does not support reconnecting to zombies after page refresh. Please restart relay server if you refresh the panel.

Publication

This software was developed during research on Rise of the Metaverse's Immersive Virtual Reality Malware and the Man-in-the-Room Attack & Defenses. Please see the paper for more details and use following citation.

@article{Vondracek-2023-102923,
    title = {Rise of the Metaverse’s Immersive Virtual Reality Malware and the Man-in-the-Room Attack & Defenses},
    journal = {Computers \& Security},
    volume = {127},
    pages = {102923},
    year = {2023},
    issn = {0167-4048},
    doi = {https://doi.org/10.1016/j.cose.2022.102923},
    url = {https://www.sciencedirect.com/science/article/pii/S0167404822003157},
    author = {Martin Vondráček and Ibrahim Baggili and Peter Casey and Mehdi Mekni}
}

Links