Your new reality—how crooks can hijack your augmented world
As augmented reality becomes a part of your life, researchers warn security gaps could hurt you in the real world.
You get a message on your phone.
“Battle is starting in one minute. Get ready.”
You raise your phone like a gun. Though the camera, you see the real world around you.
New augmented reality laser tag game called Father.IO. Image via Father.IO on Indiegogo
But now, your phone is a weapon. Looking over the barrel of your virtual sniper rifle, you fire, “killing” a man standing nearby.
He’s “eliminated,” your phone tells you. And you’re off to find the next victim.
This is Father.IO, an augmented reality game where you can take over territory in your own real-life city and defend it from other players.
Your phone becomes your gun in Father.IO, an augmented reality laser tag game. Image via Father.IO on Indiegogo
A YouTube video describes Father.IO as a “mobile FPS [first person shooter] game about to tear apart our society.”
But the technology behind the game may be the real society-changer.
Some predict augmented reality, also called AR, will be the “next big thing,” a market reaching $90 billion a year by 2020, according to AR company Wikitude.
That means almost everything you use now could become “augmented”—not only your phone, but your car and other devices, too.
Continental & DigiLens are developing augmented reality windshield displays for cars. Image credit: Continental
As you’re driving, your windshield shows you the fastest route through traffic. As you’re walking, your phone’s screen shows you ratings for the restaurant to your right, and a dating profile for the woman on your left.
To make it easier to use, you may wear your screen as glasses, with virtual images popping up as you stroll.
Convenient. Informative. Helpful. But also, experts say, potentially dangerous, as crooks trick you with fake images and suck your information out through the very technology designed to help.
“Just because it’s AR doesn’t mean it’s going to be any safer,” said Cameron Camp, security researcher at cybersecurity company ESET.
“As AR become more popular and widely used, hackers will start finding and leveraging new exploits,” said Suman Jana, assistant professor of computer science at Columbia University.
AR vs. VR
With virtual reality, you see a completely digital world.
With augmented reality, you see the real world through your screen, but with virtual images added on in various places.
But who’s adding on those virtual images?
Researchers say criminals can infiltrate your AR system and put up false info or pictures.
It could be a simple as showing a good rating for a restaurant that actually gets bad reviews. Or it could be as serious as covering up a stop sign so you drive right through it.
“Augmented reality is not going to change ethics,” Camp told Archer News. “Scammers will still try to go after you if they think they can trick you into giving them something of value.”
AR = Augmented risk?
Jana took a close look at AR security with his colleagues while at the University of Texas at Austin in 2015.
Their report came to an unfortunate conclusion, that popular augmented reality technology is actually less secure than the Internet technology and systems you currently use—which already leave gaps and holes for bad guys to get in.
“Architectural flaws in these mechanisms result in security and privacy vulnerabilities,” the paper said about AR technology and systems.
How it works
When you open your laptop and connect to the Internet, you decide which sites to visit—although sometimes bad guys can hijack you and take you to a site you didn’t plan to see.
With AR, it’s different, according to the University of Texas research.
As you’re walking or driving, items you see—or places you go—can trigger the AR connection.
That means you may not be choosing who connects to you.
The image or location is choosing for you.
Crooks could tell any phone or car to automatically trigger their malicious AR channel when the camera sees a certain sign, for example, the researchers said. And they could do it without you even knowing it.
That and other attacks could allow them to throw up false images, spy through your camera and microphone, and steal your sensitive data—with you none the wiser.
They could set up an illegal system to monitor all AR devices for certain license plates—or faces—to track you around the world, the researchers warned.
Lack of control
With your laptop, you use a browser to go to sites on the Internet.
With AR, you use a special AR browser that connects you to AR channels.
Jana and his colleagues analyzed three popular AR browsers—Junaio, Layar and Wikitude—in use on more than 30 million devices.
All three had security and privacy issues, they said.
Some had more issues than just spying and stealing. On some AR browsers, criminals can trick you into clicking on bad things by putting a legitimate AR image over a malicious AR image.
For example, the researchers showed how crooks could put a friendly tweet over a malicious tweet, fooling you into clicking and sending it to the world.
The researchers encouraged AR tech developers to make sure you and other users can see who’s accessing your device—among other solutions.
Layar encouraged companies to use its AR technology to enhance ads you see in print. Image credit: Layar
Another issue is what the camera sees, like credit card numbers, valuable work info, license plates and people’s faces.
The AR browser collects that extra info and sends it to a server for processing, the researcher found. But thieves can steal that info along the way.
Security and privacy “are often overlooked in the design of the existing AR browsers,” the researchers said.
They said they reported the issues to all three AR browser companies in the hopes the problems would be fixed.
Then & now
That was 2015.
“What about now?” we asked Jana.
“I don’t think the security and privacy aspects of AR technology have improved significantly since the publication of our paper,” he responded. “Most of the risks we talked about in the paper are still valid.”
“Fixing some of the reported issues will require major changes to the design of the AR applications,” he answered.
Wikitude advertises that its technology can make it look like a spaceship is landing on a picturesque landmark. Image via: Wikitude
What do the companies say?
One of the three AR browsers the researchers analyzed, Junaio, is no longer in business.
Archer News contacted the other two, Layar and Wikitude, to see if they fixed the problems raised by researchers.
Layar never answered. The company also never answered the researchers’ queries in 2015.
Wikitude did answer the researchers in 2015, saying they were aware of one of the flaws and were looking into adding security mechanisms, the paper said.
But now, in 2017, the company seems to have little to say about the security issues.
Archer News sent Wikitude a link to the paper and asked if the company had fixed the problems raised.
A Wikitude public marketing and sales manager told Archer News they didn’t have time to read the researchers’ paper before the story deadline.
We extended the deadline and summarized the security issues for Wikitude.
But Wikitude stopped responding entirely.
AR & you
You will have new responsibilities when using the new technology.
Don’t walk into the street—or off a cliff—while looking for the new Pokemon Sclablet or Bifdarnger.
Don’t watch cat videos in the corner of your windshield while driving.
But when it comes to security, some say the companies behind the tech need to step up.
“I think the responsibility lies with the companies designing these new AR technologies to consider addressing security, privacy, and safety issues as a core part of their designs,” said Franziska Roesner, assistant professor of computer science and engineering at the University of Washington.
Marines at Quantico train “by injecting virtual images, indirect fire effects, aircraft, vehicles, simulated people, etc. onto a real-world view of one’s surroundings” in 2015. Photo credit: Office of Naval Research via Foter.com / CC BY
Good & evil
Roesner and other researchers have raised concerns about the possible dangers of AR.
The technology could help many people, showing you how to change a fan belt, for example, or helping a surgeon make the safest and most precise moves in surgery.
It could become the eyes or ears for a disabled person, guide pilots landing planes, and transform your world into a multi-dimensional place rich with helpful information.
But it could also be used against you. Is that a real car in front of you, or not?
“In the extreme, with future AR technologies, users may not be able to distinguish physical from virtual content!” Roesner said to Archer News.
Many people are already using some form of AR, and not just Pokemon GO—IKEA apps that let you test out a piece of furniture in your home before you buy, museum tours that give you helpful info about what you see, language apps that replace an image of a sign in, say, Russian with a sign in English, and more.
It won’t be long before it takes over your phone, your work, your life, experts predict.
Marketers will try to influence your every move with images or info meant to draw you in.
“It’ll become more the norm in the same way today it’s difficult—or getting virtually impossible—to unplug digitally,” Camp said.
The Continental heads-up display shows images on your windshield. Image via Continental
Security experts aren’t seeing AR crime right now.
But if the companies and people making the technology don’t focus on security, digital crime could go further than ever before—literally, in your face.
Some say AR companies will eventually catch up to the security and privacy issues. Some companies may already be there.
And for now, your biggest AR risk may the guy next to you getting a little too excited when playing Father.IO.
But in the future, keep watch for augmented fakery designed to hurt you or steal your money.
“You have to keep what we call your ‘spidey senses’ up,” Camp said. “If something looks too good to be true, it is.”