A Hybrid, Scenario-Driven Risk Analysis of Security and Privacy in Extended Reality Ecosystems

Abstract

Extended Reality (XR) is a recent innovation in human-computer interaction that joins both the real and digital worlds. XR systems are actively used in such critical areas as the healthcare, manufacturing, and education sphere, and the security and privacy of the XR systems should be investigated strictly. The immersive and data-heavy quality of XR presents a more distinct and broadened threat variety, which involves technical, humanistic, and perceptual vulnerable regions that lack proper approach measures on conventional approaches to securing cyberspace. The article introduces an XR ecosystem-specific hybrid and scenario-based risk assessment methodology. We blend formal measures of impact of Common Vulnerability Scoring System (CVSS) with a multi-factorial likelihood model of our own to offer a quantitative examination of practical vectors of attack. We perform and monitor scenarios involving malicious application sideloading to steal data and man-in-the-middle attacks to steal credentials using an experimental testbed involving a consumer-grade VR headset. The results of our study indicate that the social engineering vulnerability to the user and the insecure defaults of developer-specific features constitute the most prominent factors of the high-risk vulnerabilities. Credential theft via network interception and data exfiltration using unauthorized permissions prove to be the immediate threats that are most critical according to the results. We summarize by suggesting a series of practical action plan recommendations to be taken by platform vendors, application developers, and organizations in the effort to reduce the risk of these, including the use of context-sensitive security devices and developing effective user education.