General security

Is the security of virtual reality (and augmented reality) virtual insanity?

Susan Morrow
April 16, 2019 by
Susan Morrow

Futures made of virtual insanity now

Always seem to be governed by this love we have

For useless, twisting, our new technology

— “Virtual Insanity,” Jamiroquai

Star Trek and the origins of Virtual Reality (VR) 

To be on the Star Trek holodeck must be every sci-fi fan’s dream. This was an area on the ship which used virtual reality (VR) to allow ship members to build dream worlds and to prepare themselves to take on the many alien life forms of the show. And the dream has been with us for a while now; the show first introduced fans to the holodeck back in 1987.

More than 30 years later, we are using the same idea of virtual and augmented reality in as many forms as your imagination allows. Virtual reality systems are being used across many different industries from healthcare to the military, shopping experiences and engineering.

But like many technologies, virtual reality has to be tempered with some security and privacy realities. In this article, I’ll look at how virtualizing our reality may come as a virtual reality shock.

What is virtual reality all about?

To understand the security implications of virtual reality systems, we need to understand what is behind the technology. In simple terms, virtual reality programs create a computer-generated environment which is presented to the user through a user interface, like a headset. In advanced systems, the user can interact with the virtual world via sensors: for example, by using a glove or headset containing these sensors.

A VR device contains three types of sensors: accelerometers, magnetometers and gyroscopes. These translate the movement of the wearer and communicate these data back to the VR system — and often, beyond.

Virtual reality has a myriad of use cases. Healthcare, for example, is applying VR to pain management. In military use, virtual reality is applied to help with situational awareness on the battlefield. And game machines like the Oculus Rift are taking virtual reality out of industrial use cases and into our homes.

Augmented reality is not virtual

Augmented reality (AR) is about applying a layer of information on top of a real-world view rather than immersing the user inside a virtual world. For example, the Swedish furniture retailer IKEA has a mobile app that allows you to superimpose 3D images of furniture into your room before buying.

Both types of computer-generated reality system, AR and VR, need data — and lots of it — to work.

The security and privacy worries in VR and AR technology

Data is usually on the receiving end of cybersecurity and privacy issues whenever a new technology enters our domain. We’ve already seen this with the Internet of Things, which is now on every CISO’s cybersecurity worry list. AR and VR need data to operate, and most of those data are personal and often highly sensitive, including behavioral data. The types of data used in VR and AR products include:

Body movement tracking data

A paper entitled “Protecting Nonverbal Data Tracked in Virtual Reality” by researcher Jeremy Bailenson looks at the privacy issues of nonverbal data. These data, which include eye movements, facial expression and similar, may seem innocuous but are routinely collected by companies. Why? Because they can potentially be used to tailor ads and target customer behavior. According to Bailenson, if you spend 20 minutes using VR you produce over “2 million recordings of body language.” The report also talks about the application of VR in the classroom and the privacy implications of collecting and analyzing children’s attention and facial expressions.

In a referenced article which looked at the privacy policies of VR companies, a number of privacy concerns were identified. This included the fact that companies routinely share VR data with a number of associated affiliates. These body-tracking data are part of our deep-seated identity data and should require special attention in terms of privacy protection.

Virtual reality data and related online transactions

Game machines like Oculus Rift are not just VR headsets. They are connected to online transactions which use personal and financial data. The whole picture afforded by a rich set of data that links personal, financial, body movement tracking, geo-tracking and behavioral monitoring creates the perfect privacy storm.

Facebook bought Oculus back in 2014. Recent Facebook data protection issues, like the 500 million exposed Facebook user accounts, naturally cause concern for virtual reality-initiated privacy violations.

Other data and augmented reality

The ZOZOSUIT is an augmented-reality way to get exact body measurements to facilitate the online purchase of fashion items. The ZOZOSUIT is a set of spandex leggings and top which have a number of markers used by a mobile app to collate your measurements and create a 3D map of your body. These measurements are then shared with the retailer (ZOZO) when you buy a garment so that you get an ideal fit.

This type of data would likely be classified as “special data” under data protection regulations like GDPR. This would mean more stringent protection should be applied than for other personal data like email addresses. The ZOZO privacy policy states that they use ZOZO data “To collect statistical information and use such statistical information for marketing and other research purposes”. It is unlikely that these data can be properly de-identified, as they are linked to online transactions requiring name, address and financial details.

Similarly, the augmented reality apps which use your surroundings to improve customer buying experiences require location data and potentially highly personal data within the home.

Non-data security concerns of VR and AR devices

The security and privacy concerns don’t stop at the data level. Other security concerns cross the bounds of data and into the cybersecurity and personal threat level.

Immersion distraction

Many VR experiences require deep immersion. This is created using headsets and other peripherals such as VR gloves. VR immersion is being used for good in areas such as pain management, but it can also be a security issue. A recent ad demonstrated how dangerous total immersion can be if used for nefarious purposes. In the ad, burglars were able to enter the house and steal a TV set while the homeowner was using distracted by their VR headset.

DDoS and malware infection of vital equipment

Virtual reality and augmented reality are being used in critical services like healthcare. VR and AR are often connected to a PC or an app, and devices are now linking the IoT to VR in systems like robot-assisted surgery. If a Distributed Denial of Service (DDoS) attack or other malware infection impacted these devices, it would be disastrous.

The shock of the new – the full data set

The entry of technologies such as virtual and augmented reality has created new cybersecurity threats. Many of these threats are because of new types of data entering the mix.

We have many regulations and laws to protect data such as name, address, date of birth, financial information and, more recently, biometrics. We need, however, to make sure that these laws reflect the data generated by VR and AR devices. Data such as behavioral information, movement tracking and body measurements are highly sensitive. Coupled with other identifiers such as name and financial transaction data, they can be a hacker’s dream. It isn’t too far-fetched to imagine VR- or AR-based systems becoming critical cybertargets because of the scope of data collected — taking identity theft to new heights.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.



  1. Holodeck, Star Trek
  2. Virtual Reality Pain Reduction, Human Photonics Laboratory, University of Washington
  3. Augmented Reality in Military: AR Can Enhance Warfare and Training, Jasoren
  4. VR and your privacy: How are these companies treating your data?, Windows Central
  6. Hilarious commercial pokes fun at the dangers of getting immersed in virtual reality, TNW
  7. 5 Surgical Robots to Look Out for in 2019, Robotics Business Review
  8. Over 500 million Facebook user records discovered on public Amazon servers, TechSpot
Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.