Augmented Reality Comes With Cyber Threats Too!

Coming to a smartphone near you today, augmented reality apps herald a new world of opportunities and dangers. While virtual reality (VR) and its separate virtual worlds have been in the public eye for a while, augmented reality (AR) with its subtle blending of both virtual and real contexts is a relative newcomer. However, now that Facebook is using its new camera tools to launch its own AR platform, overlaying graphics on the real world via your mobile screen, AR is likely to gain significantly in popularity.

So, what’s the problem? After all, augmented reality sounds like fun, the way Facebook presents it with examples of creating imaginary rain clouds in your physical living room, or having virtual sharks swim around in your real coffee. There is also plenty of potential for AR in commercial, industrial, health, and educational contexts. Use cases include enhanced street directions, overlays of tutorials on how to install equipment, and so on.

The downside is that augmented reality multiplies the possibilities of cyber-threats or cyber-initiated threats, more than conventional apps, and even more than virtual reality apps:

·       Hacking of devices used to create AR to make them part of malicious botnets – not just smartphones and tablets, but also camera and viewer wearables (remember Google Glass)

·       Collection of considerable amounts of personal data, ostensibly for the marketing programs associated with the AR product in question, but increasing the threat of breaches of this personal information

·       Visual terrorism, using effects such as stroboscopic light pulses and sound to cause distress or harm to users

·       Deception by bad actors that misrepresent or hide real world objects, for instance, by making speed limit or road warning signs disappear

·       “Action-jacking”, like “click-jacking” in which a user’s click destined for one on-screen choice is snatched by a malicious application – In the AR version, a user’s action on screen destined for one action (like dimming room lights) is hijacked and converted into another action (like switching building security off).

On the other hand, the possible causes of these different kinds of threats currently look much like those affecting more conventional applications:

·       Applications rushed for release without sufficient security checks, because of the pressure to get into a promising market early

·       Application programming interfaces (APIs) offered by developers, but which contain security vulnerabilities because of lack of proper security design

·       Vulnerabilities in third party software components, including API libraries, used for companies as a shortcut to market.

Future augmented reality applications may add further security challenges, coming from new requirements such as the need for several AR applications to access information or the screen at the same time. Right now, however, the pressing need is to boost security through rapid, reliable security checks on the risks listed above, while allowing market release schedules to be maintained (like AppInterrogator does). Any solution must also flag vulnerabilities in third party code, even when the original source code is unavailable for analysis (another feature of AppInterrogator). That way, end-users can have their fun watching fake sharks in their coffee, without the risk of being bitten in the process