skip to main content
research-article

VRKeyLogger: Virtual keystroke inference attack via eavesdropping controller usage pattern in WebVR

Authors Info & Claims
Published:01 November 2023Publication History
Skip Abstract Section

Abstract

Abstract

WebVR is an emerging technology that allows users to experience VR (Virtual Reality) through typical web browsers, providing an integrated environment for various VR applications. One important problem of the VR technology is how to securely interact with users, in particular, implementing secure text input. A promising approach is to use a virtual keyboard rendered as a VR object. The VR user can enter certain text by clicking a sequence of virtual keys through the VR controllers, and the input text is handled in a secure way. However, despite the sensitivity of the input text, we found that there is a critical vulnerability that the VR controllers are not properly protected. The VR controller status can be disclosed to malicious entities, imposing a severe threat that an attacker's website can infer the input text by eavesdropping and analyzing the VR controller's movements. To accurately infer the input, the attacker should address two challenges: 1) determining which clicks correspond to the virtual keyboard and 2) identifying which key is pressed. In this paper, we propose a new keystroke inference attack framework, VRKeyLogger, that addresses such challenges with two key components: key-click classifier and key-click identifier. The key-click classifier effectively distinguishes clicks on the virtual keyboard based on the SVM classifier trained by the major features of the VR controller uses. The key-click identifier then accurately identifies which key is pressed by transforming the clicked position into the local coordinate system of the virtual keyboard. We implemented a proof-of-concept prototype and conducted a user study with nine participants. In the extensive user study with three real-world WebVR applications, our VRKeyLogger results in classification and identification accuracy of 93.98 and 96.8% on average, respectively. This implies that the proposed attack poses a serious threat to WebVR security.

References

  1. W3C, 2022a W3C : WebVR 1.1. https://immersive-web.github.io/webvr/spec/1.1/ (last visited: 2022-03-05).Google ScholarGoogle Scholar
  2. Ling et al., 2019 Ling Z., Li Z., Chen C., Luo J., Yu W., Fu X., I know what you enter on Gear VR, in: 7th IEEE Conference on Communications and Network Security, CNS, IEEE, 2019.Google ScholarGoogle Scholar
  3. Arafat et al., 2021 Arafat A.A., Guo Z., Awad A., VR-Spy: a side-channel attack on virtual key-logging in VR headsets, in: IEEE Virtual Reality and 3D User Interfaces, VR, IEEE, 2021.Google ScholarGoogle Scholar
  4. A-Frame, 2022a A-Frame : A WebVR implementation platform. https://aframe.io/docs/0.9.0/introduction/ (last visited: 2022-03-05).Google ScholarGoogle Scholar
  5. L. OpenGL, 2022 L. OpenGL : Coordinate systems. https://learnopengl.com/Getting-started/Coordinate-Systems (last visited: 2022-03-05).Google ScholarGoogle Scholar
  6. Three.js, 2022a Three.js : A JavaScript 3D library. https://threejs.org/ (last visited: 2022-03-05).Google ScholarGoogle Scholar
  7. M. D. Network, 2022a M. D. Network : Document Object Model (DOM). https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model/Introduction (last visited: 2022-03-05).Google ScholarGoogle Scholar
  8. M. D. Network, 2022b M. D. Network : Inputs and input sources. https://developer.mozilla.org/en-US/docs/Web/API/WebXR_Device_API/Inputs (last visited: 2022-03-05).Google ScholarGoogle Scholar
  9. A-Frame, 2022b A-Frame : A-frame raycaster system. https://aframe.io/docs/1.3.0/components/raycaster.html (last visited: 2022-03-05).Google ScholarGoogle Scholar
  10. Three.js, 2022b Three.js : Three.js raycaster system. https://threejs.org/docs/index.html#api/en/core/Raycaster (last visited: 2022-03-05).Google ScholarGoogle Scholar
  11. GitHub, 2022a GitHub : Aframe-keyboard. https://github.com/WandererOU/aframe-keyboard (last visited: 2022-03-05).Google ScholarGoogle Scholar
  12. GitHub, 2022b GitHub : Three-mesh-ui. https://github.com/felixmariotto/three-mesh-ui (last visited: 2022-03-05).Google ScholarGoogle Scholar
  13. GitHub, 2022c GitHub : Aframe-super-keyboard. https://github.com/supermedium/aframe-super-keyboard (last visited: 2022-03-05).Google ScholarGoogle Scholar
  14. GitHub, 2022d GitHub : vr-keyboard. https://github.com/erosmarcon/vr-keyboard (last visited: 2022-03-05).Google ScholarGoogle Scholar
  15. M. D. Network, 2022c M. D. Network : GamePad API. https://developer.mozilla.org/en-US/docs/Web/API/Gamepad_API (last visited: 2022-03-05).Google ScholarGoogle Scholar
  16. Barth et al., 2009 Barth A., Jackson C., Mitchell J.C., Securing Frame Communication in Browsers, 2009.Google ScholarGoogle Scholar
  17. M. D. Network, 2022d M. D. Network : iframe: inline frame element. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe (last visited: 2022-03-05).Google ScholarGoogle Scholar
  18. M. D. Network, 2022e M. D. Network : Web socket. https://developer.mozilla.org/en-US/docs/Web/API/WebSocket (last visited: 2022-03-05).Google ScholarGoogle Scholar
  19. HTC, 2022 HTC : VIVE pro specs. https://www.vive.com/us/product/vive-pro/ (last visited: 2022-03-05).Google ScholarGoogle Scholar
  20. M. VR, 2022a M. VR : A-Blast. https://aframe.io/a-blast/ (last visited: 2022-03-05).Google ScholarGoogle Scholar
  21. Supermedium, 2022 Supermedium : Moon rider. https://moonrider.xyz/ (last visited: 2022-03-05).Google ScholarGoogle Scholar
  22. M. VR, 2022b M. VR : A-Painter. https://aframe.io/a-painter/ (last visited: 2022-03-05).Google ScholarGoogle Scholar
  23. Bos et al., 2008 Bos J.E., Bles W., Groen E.L., A theory on visually induced motion sickness, Displays 29 (2) (2008) 4757.Google ScholarGoogle Scholar
  24. W3C, 2022b W3C : WebXR device API. https://www.w3.org/TR/webxr/ (last visited: 2022-03-05).Google ScholarGoogle Scholar
  25. Lee et al., 2021 Lee H., Lee J., Kim D., Jana S., Shin I., Son S., AdCube: WebVR Ad fraud and practical confinement of third-party Ads, in: 30th USENIX Security Symposium, USENIX Security, USENIX Association, 2021.Google ScholarGoogle Scholar
  26. Luo et al., 2020 Luo S., Nguyen A., Song C., Lin F., Xu W., Yan Z., OcuLock: exploring human visual system for authentication in virtual reality head-mounted display, in: 27th Annual Network and Distributed System Security Symposium, NDSS, The Internet Society, 2020.Google ScholarGoogle Scholar
  27. Schneegass et al., 2016 Schneegass S., Oualil Y., Bulling A., SkullConduct: biometric user identification on eyewear computers using bone conduction through the skull, in: Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems, CHI, ACM, 2016.Google ScholarGoogle Scholar
  28. Bianchi and Oakley, 2016 Bianchi A., Oakley I., Wearable authentication: trends and opportunities, IT, Inf. Technol. 58 (5) (2016) 255262.Google ScholarGoogle Scholar
  29. Zhang et al., 2017 Zhang R., Zhang N., Du C., Lou W., Hou Y.T., Kawamoto Y., AugAuth: shoulder-surfing resistant authentication for augmented reality, in: IEEE International Conference on Communications, ICC, IEEE, 2017.Google ScholarGoogle Scholar
  30. Liu et al., 2015a Liu J., Wang Y., Kar G., Chen Y., Yang J., Gruteser M., Snooping keystrokes with mm-level audio ranging on a single phone, in: Proc. ACM MobiCom, 2015.Google ScholarGoogle Scholar
  31. Liu et al., 2015b Liu X., Zhou Z., Diao W., Li Z., Zhang K., When good becomes evil: keystroke inference with smartwatch, in: Proc. ACM CCS, 2015.Google ScholarGoogle Scholar
  32. Wang et al., 2015 Wang H., Lai T.T., Choudhury R.R., MoLe: motion leaks through smartwatch sensors, in: Proc. ACM MobiCom, 2015.Google ScholarGoogle Scholar
  33. Narrain et al., 2014 Narrain S., Sanatinia A., Noubir G., Single-stroke language-agnostic keylogging using stereo-microphones and domain specific machine learning categories and subject descriptors, in: Proc. ACM WiSec, 2014.Google ScholarGoogle Scholar
  34. Shumailov et al., 2019 Shumailov I.; Simon L.; Yan J.; Anderson R. (2019): Hearing your touch: a new acoustic side channel on smartphones. arXiv preprint arXiv:1903.11137.Google ScholarGoogle Scholar
  35. Kim et al., 2020 Kim H., Joe B., Liu Y., TapSnoop: leveraging tap sounds to infer tapstrokes on touchscreen devices, IEEE Access 8 (2020) 1473714748.Google ScholarGoogle Scholar
  36. Xu et al., 2011 Xu Z., Bai K., Zhu S., TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors, in: Proc. ACM WiSec, 2011.Google ScholarGoogle Scholar
  37. Miluzzo et al., 2012 Miluzzo E., Varshavsky A., Balakrishnan S., Choudhury R.R., Tapprints: your finger taps have fingerprints, in: Proc. ACM MobiSys, 2012.Google ScholarGoogle Scholar
  38. Cai and Chen, 2011 Cai L., Chen H., TouchLogger: inferring keystrokes on touch screen from smartphone motion, in: Proc. HotSec, 2011.Google ScholarGoogle Scholar
  39. Ping et al., 2015 Ping D., Sun X., Mao B., TextLogger: inferring longer inputs on touch screen using motion sensors, in: Proc. ACM WiSec, 2015.Google ScholarGoogle Scholar
  40. Chen et al., 2018 Chen Y., Li T., Zhang R., Zhang Y., Hedgpeth T., EyeTell: video-assisted touchscreen keystroke inference from eye movements, in: Proc. of IEEE Symposium on Security and Privacy, 2018.Google ScholarGoogle Scholar
  41. Wang et al., 2018 Wang Y., Cai W., Gu T., Shao W., Khalil I., Xu GazeRevealer X., Inferring password using smartphone front camera, in: Proc. of ACM MobiQuitous, 2018.Google ScholarGoogle Scholar
  42. Funk et al., 2019 Funk M., Marky K., Mizutani I., Kritzler M., Mayer S., Michahelles F., LookUnlock: using spatial-targets for user-authentication on HMDs, in: Extended Abstracts of the 2019 CHI Conference on Human Factors in Computing Systems, CHI, ACM, 2019.Google ScholarGoogle Scholar
  43. Mathis et al., 2020 Mathis F., Fawaz H.I., Khamis M., Knowledge-driven biometric authentication in virtual reality, in: Extended Abstracts of the 2020 CHI Conference on Human Factors in Computing Systems, CHI, ACM, 2020.Google ScholarGoogle Scholar

Recommendations

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Sign in

Full Access

  • Article Metrics

    • Downloads (Last 12 months)0
    • Downloads (Last 6 weeks)0

    Other Metrics