VR headsets vulnerable to 'Inception attacks' — where hackers can mess with your sense of reality and steal your data

Scientists have identified a vulnerability in virtual reality (VR) headsets that could let hackers access private information without the wearers' knowledge. 

A hacker can insert a new "layer" between the user and the device's normal image source. Hackers can then deploy a fake app in the VR headset that might trick the wearer into behaving in specific ways or giving up their data. This is known as an "Inception layer," referring to Chris Nolan's 2010 sci-fi thriller in which espionage agents infiltrate a target's mind and implant an idea the target assumes is their own. 

The VR "Inception attack" was detailed in a paper uploaded March 8 to the preprint server arXiv, and the team successfully tested it on all versions of the Meta Quest headset.

Researchers found several possible routes of entry into the VR headset, ranging from tapping into a victim's Wi-Fi network to "side-loading" — which is when a user installs an app (possibly loaded with malware) from an unofficial app store. These apps then either pretend to be the baseline VR environment or a legitimate app.

All of this is possible because VR headsets don't have security protocols anywhere near as robust as in more common devices like smartphones or laptops, the scientists said in their paper.

Using this new fake layer, hackers can then control and manipulate interactions in the VR environment. The user won't even be aware they're looking at and using a malicious copy of, say, an app they use to catch up with friends.

Related: 'White hat hackers' carjacked a Tesla using cheap, legal hardware — exposing major security flaws in the vehicle