Malicious Reality—The Future of Threats in AR and VR


Malicious Reality—The Future of Threats in AR and VR: Detect ‘19 Series

After you have watched this Webinar, please feel free to contact us with any questions you may have at


TIM DUCKETT: The name of this is malicious reality.

What we're going to be doing is taking a look at some of the future opportunities and threats that we see in virtual, augmented, and mixed realities.

And it's important that we talk about them as separate entities because they all have very different areas that they're going to be focused on.

Different industries are going to be able to utilize these in a lot of different ways.

So a little bit about me.

Again, my name is Tim Duckett.

I am a CSM in the Customer Success Organization for Anomali.

I'm talking about this type of stuff because I'm an enthusiast.

I'm someone who enjoys kind of tinkering around with these types of technologies and thinking about what we can do with them.

If you know me, may I may have met you before.

I've worked with Sony and LogRhythm in my previous jobs.

And there's one thing you probably want to know about me.

It's that I'm a Green Bay Packers fanatic.

I'm born and raised there.

So if you have anything to say about the Bears, Vikings, or Lions, it has to be basically that they're garbage for us to talk.

[LAUGHTER] So kind of what we're going to be talking about.

So the internet is no longer just a screen in front of our faces.

It's more than that.

With the advent of things like the internet of things, we're seeing our entire lives basically can become represented in the digital world, whether that's a video screen on you're-- [CLEARS THROAT] excuse me-- a video screen on your fridge that shows you these are the foods that you have inside or now at the moment, or if we're talking about some of the more interesting things like Oculus Rift, and you're playing a game where you're fully immersed.

This is the areas that we're looking at nowadays that not only do we do we interact with these things, but they overlay every aspect of our lives, or they will be overlaying every aspect of our lives.

Now, this is the evil side of it, if you will.

Like anything, the internet spreads.

There's good and bad things that we can do with this.

One of the original first viruses Elk Cloner, right, things like BitLocker and Stuxnet, these are all different ways that people are taking advantage of computer systems and the operations that go on within.

In the case of AR, MR, VR, these provide a lot of new areas and things that, even now, we're not really good with basic security, as it is.

And this is going to add a lot more layers and complexity to those.

Whether you're talking about hackers, terrorists, or just plain criminals, there's a lot of areas that they can take advantage of and abuse.

And customers and enterprises are going to need to defend against this because, one, your customers, most likely, they're going to want to use AR and VR and all this type of stuff going forward because of the ease of use.

A lot of things that take a lot of time and skill to build in these type of environments you can overlay.

Well, like we see now, Anomali's just debuted the Lens, which is a very early form of AR.

It's a data overlay on the world.

And as we get deeper into this, as big data and internet connectivity and all that type of stuff gets better and the technologies behind it get better, we're going to see even more interactivity and more overlay in what we do.

So the idea really is, are we prepared for that?

Now, where are we right now?

Virtual reality has progressed a lot from where it used to be.

And in the early days, most people were just worried about, am I going to get sick putting this thing on?

Am I really going to believe I'm in virtual reality?

One of my first experiences with this was, if you remember the movie Hackers, and the evil guy was playing in his room one day with a virtual reality.

He's going like this.

And as a kid, I thought that was probably one of the coolest things in the world.

And so now you don't have to worry necessarily so much about the vertigo and the headaches.

But it's how am I being compromised?

Is there some way for someone to get into my information, to get into what I'm doing?

Because there is a lot of different things that we see now with this type of technology that we also saw with the advent of early technologies, like the cell phone, where we kind of run ahead of what we know, and we seek to pretty much do whatever we can.

And usually, as most of you know, security often suffers in that.

So where are we going?

So you can see right now this is kind of an interesting video.

This is someone who is basically in their living room, but they're not in their living room.

They're playing a game, an interactive game that allows them to take advantage of their environment and take advantage of huge amounts of processing power but right in front of their face.

If you'll notice over here, right now in 2019, you're looking at a market for AR and VR products at about $20 billion.

Now, compared to things like video games and everything, that's still very much small fish.

But as this continues to expand, they're looking at by 2022, at $56 billion.

We're looking at a doubling of the market and possibly even more.

So that type of money is going to lend itself to a lot of different devices, a lot of different things that are happening.

And yet, as any of you know, where there is money, there are people who are going to try to steal it, take advantage of it, and then do all sorts of things.

Now, as I was saying, virtual reality has a myriad of use cases.

We're talking about health care.

VR is already used right now in pain management.

If you're talking about military use, VR is already applied right now, via our soldiers are training on virtual reality, augmented reality systems where they're able to perform deadly operation maneuvers and things like that but in a much safer environment.

So with this type of stuff, you're able to train in the same way.

You're able to interact in the same way as you would in the real world.

But you're vastly decreasing the lethality sometimes, when you're talking about the military, of such exercises.

And that can only be a boon if you're not going to be killing your people when they're training, at least from a military aspect.

And the same thing with health care.

With health care, besides pain management, we're also seeing in therapies and things like that.

Soldiers, again, are also using virtual reality for PTSD.

They find with this type of immersion they're able to expose their patients and everything to their fears without actually having to have-- if you're afraid of spiders, you don't necessarily want to go into a room full of spiders.

But using virtual reality, they can slowly immerse them, starting with a virtual spider they can only see on their arm to getting a little bit deeper.

So these types of things are only going to become more immersive in the future.

And that is for the good of VR and AR and everything because, like any of those technologies, they allow us to do more with less.

Now, the value of this data, the incorporation of a VR and AR into our everyday lives is probably something that most people don't really comprehend.

It's one of those things that when we think about it, we think, oh, I have a laptop.

I have all these devices at my house.

They're there.

But with AR and VR, they're not just there.

There is an overlay, as I was saying.

There is a lot more to that world than just a simple device.

And because of that, businesses are going to be able to do a lot of different things.

They're going to be able to harvest data on unprecedented scales.

And it's not just what's your log-in, what's your password, that kind of stuff.

But it's going to be things like how do you move?

What are your facial tics?

What are things that-- how do you respond when you're frightened?

All these types of things we may not necessarily think as important, but from a marketing standpoint, from someone who's trying to get to you, whether it's a military, government, or just other groups, all that type of information can be used to paint a picture of you that right now, even nowadays, with the amount of information that's available about most people, you can paint a general picture of this is what this person likes.

This is the type of person they tend to be.

This is a type of customer that they are.

And so the value of AR and VR data is that it's just more detailed.

It's more use case in real-world scenarios because they know that this is not just some consumer telling us we like this, we use this all the time, but they don't.

They'll have hundreds of repetitions that this person maybe has done picking something up or grabbing something off their shelves, and so even the line of sight that they use.

So when they're walking through their house, and they see what they're looking at, if they see, hey, this person's looking at this picture of a boat all the time, that type of data can become something that all of a sudden you're seeing advertisements for it.

So the technology's not going to just be any one field.

It's going to be in health.

It's going to be in medicine.

It's going to be in agriculture.

It's going to be in the boardrooms, right?

It's basically going to be in just about everything that we do and touch because what area do we not have that wouldn't be beneficial to having more information, to knowing how to do something without having to have the 10,000 hours that's required to become an expert?

So with 3D visualizations, you really are able to get the right tool at the right time.

And it's not a matter of we don't have the money to buy something.

A lot of this stuff is going to be represented in 3D virtual representations.

It's going to be more about having someone program something for you that can then be used hopefully across a myriad of platforms, where you're able to take a picture.

And that picture might be able to become a map.

And you can basically use that and be able to share that type of thing.

And that 3D virtual map will be the same across those.

So with these types of things and the insights and everything, as I said, you're able to generate a lot of different stuff.

Sorry about this.

So the last item here, the collaborative environments, and the next picture's is kind of going to talk about that.

But we often think that we work in kind of a bubble.

And VR and AR could allow us to kind of pop that a little bit and be able to work, not just across state lines, across countries, but with people who don't speak the same language.

With AR and VR, we're not just talking about these virtual environments.

We're talking about everything that goes into that.

That's machine learning.

That's AI.

All these types of things are also going to be incorporated into these experiences.

I think every one of us has been at a point with some technologies where we're looking through their guide; we're looking through their glossary.

We have a support ticket open, and we just-- we don't get it, right?

And you kind of want to talk to someone that has an encyclopedic knowledge about something.

And so this is one of those areas where with AR and VR, you could do that.

You could create an AI-based virtual representation of all the encyclopedic knowledge that you have for your company, your product.

And you could interact with that.

Customers would be able to hopefully speak to that in a natural human voice pattern and be able to interact like they would a regular customer.

That level of interaction and detail and ability to grab information is going to be huge because, again, you're no longer waiting on a ticket to come back.

You're no longer waiting on a lot of different things.

The information is there.

And you can collaborate with people instantaneously.

And hopefully with the advent of some of these natural language processing and all this type of stuff, you'll be able to talk in these environments.

And no matter where you are, if you're using English, it's going to be able to translate that to English.

If you are using Spanish, French, any of these other languages, we would then hope that those same ability to hear someone speaking English and have it directly translated to you in Mandarin or something.

Like I said, that type of interaction and ability allows your customers to do more with your products, to become a lot stickier, if you will.

So some clarity, right?

When we talk about AR and VR and all these different things, it's a huge monolith.

Most people think AR and VR and that type of stuff is all one thing.

And for the last probably 10 to 15 years, AR, VR, that really all has kind of been thrown into one big pool, if you will.

Now, this is-- again, it's probably not 100% complete.

But it kind of shows you there's a lot of repeating players in this market.

And there's a lot of different areas, as I was talking about, where this type of technology is already happening.

In terms of reality capture, a lot of you have probably already seen things like Lord of the Rings and all this.

A lot of the technologies that they're using, the motion capture and all this, it's predated on these types of areas that you're seeing now much more in movies.

You're even seeing it in some television shows, where these types of cameras and everything are being used.

And they're providing a level of interactivity.

For those of who are NBA fans, the NBA actually has a virtual reality setup that they use during games, that you can actually put on NBA courtside, basically, where you're able to sit in a virtual environment and interact like you paid several or thousands of dollars, depending on what team you root for, to sit there.

So again, it's interactivity with that type of stuff.

You're drawing people in.

We also have a number of different tools.

And a lot of you are probably going to be familiar with some of these tools because they're not just used in AR and VR.

You have Nvidia.

You have Unity here, Unreal Engine.

A lot of these companies are very big on the gaming side.

So you're seeing a lot of game companies not just-- they're not just in games anymore.

Now they're creating tools for other people to use.

You're seeing them in entertainment.

You can see a lot of here a number of repeats for Oculus and Facebook.

Oculus, because of their Facebook backing, has a huge number of areas that they're kind of getting into now with sporting events, with entertainment.

But as you can see, this is no longer just a-- it's not really an emerging field anymore.

It is a field that is already populated by a large number of big players.

And it's really at the point now where it just needs the mature technologies.

For any of you that are familiar with the Oculus systems-- or show of hands, who has used an Oculus Rift or a virtual reality?

OK, couple in here.

So right now there is several different things on the market.

I'm going to be talking primarily to the Oculus side since that is the largest one in the market.

So what we see right here is one of the original versions of the Oculus Rift system.

Now, you'll notice there's a lot of cords.

We have sensors over here.

And we have our controllers.

And this might seem very different from what I'm talking about with the freedom of use and the ability-- this is partially where we've seen the holdup with a lot of these.

You can't really do much when you're tethered to your computer.

This type of technology, at least right now, requires a good old-fashioned desktop to run the biggest and the high-end programs that there are.

Now, this is changing.

We have right now the Oculus Quest.

And there's one individual here who happened to have won of those this week.

That device there is a standalone.

You're actually able to move freely about and kind of play a lot of VR games.

Now, it is not the same as this device here, because it is still mobile phone based.

The power and the actual communications ability of the Oculus Quest is just-- you're still not able to get the same type of visuals and the same type of power draw.

So while we have seen this get better, we are now coming out with the third generation, if you will.

And this was actually just announced last week.

So I didn't have a chance to put some of the information that I wanted into it but Oculus just had their Oculus Connect And so the big news that was announced with this is that while their original version for the Quest still relied upon hand controllers and everything, their newest version will not.

It will rely only on a headset device.

And this is pretty big because it's going to have what's called inside-out tracking.

And it will be able to track your hand movements.

And this opens up a lot of applications.

It opens up the ability now-- because you're no longer having to have controllers, and you kind of have that limited motion, it's going to open up the next wave of, all right, I don't need a keyboard now.

If I have one of these, I can put this on and be able to type, be able to do some of these things where instead of carrying a giant laptop that has to have all these different plugins, you can carry your headset.

And that can be your laptop, your keyboard, your planner.

All the things that we have in our phones and our laptops can now be right in front of you.

And someone who has to travel a lot and is always kind of running around with kids, the ability to grab something and throw it up in front of me and then not have my children destroy it or be able to mess with it, that's pretty gold.

So I'm looking forward in that respect to-- a lot of these things now are getting to the point where, well, that's possible.

The technology now is at the phase where we just need to find a company that can create a product that people are excited about.

So a little breakdown, because, again, AR, VR, all this type of stuff, it can be confusing.

Virtual reality is an immersive digital environment.

This is typically through now the use of phones is what you're seeing a lot more.

But it used to be a lot of heads-up displays.

And depending on when you're thinking of VR, in the '80s it was those ginormous tethered connections.

Now it's this type of stuff.

But it's really something that covers your eyes and your ears, and it's providing you an immersive environment.

The holodeck from Star Trek is probably the best correlation for that.

Now, on the opposite side of this is the mixed and the augmented reality.

These take place in the real world.

And again, they're also through phones and HUD and things like that.

But in this case, we're talking about overlays.

This can be anything from-- like the Lens is considered a-- it's a very early form of augmented reality.

It is something that sits over the top.

But you're also seeing this now in Teslas and things like that, where they have the overlay of your speed and some of the times the mapping and everything that will show up in front of you on the dashboard.

So that type of augmented and mixed reality, it's already becoming much more prevalent.

We don't necessarily know that that's what it is.

But those type of displays are only going to get more immersive, more user friendly.

And they're only going to have the ability to provide a lot of different things, again, from things like road signs to our own type of cyber security tools.

So with virtual reality, the emergence of a lot of these internet-connected products is radically changing.

And it's going to be reshaping how companies do a lot of different things, how they talk to their customers, how they interact with their customers.

And as we said before, it's going to expose them to a lot of new threats, as well as opportunities.

They are going to be controlling massive amounts of product and user data because of these types of systems.

So the idea of, hey, how are you gathering it?

Where's it being stored?

And you know are you doing any analysis on it?

And this isn't just for any one thing.

This is on all this data sets for a variety of applications.

As we see more employees embrace that, you're going to see more training happening.

And you're already seeing this type of thing, as I said, with military.

And, again, in any fields that have a lot of risk and a lot of danger associated with them, you're seeing this type of incorporation happening to allow, again, users to be able to experience the environment that they need to learn but without having to worry about being killed.

And there's also some constraints here of dealing with complex products, right?

You're no longer going to have to worry about really lacking data and insight.

With these virtual products, there's a lot of different ways that you can harvest not only what the customer's doing, but how they're interacting with your product.

If you find out that, again, something very small like 70% of the people who use your product are right handed, and so when they interact with it, they like to spin the things with their right hand, that may seem inconsequential to most people.

But if you're a digital artist, if you're someone who's advertising, then you know, all right, if we're doing this, what are the first things that they see?

How can we entice them more?

So again, the complex products that you have can now be broken down into where are they using it?

How are they interacting with it?

And if they're not interacting with it, why?

What do we see when users get here?

Do we see someone pounding their fists in the virtual environment because they can't get it to work?

All that type of stuff is going to help, where the issue usually now is that the bottleneck lies in how humans have to interact with these things.

And so in this case, the machines are interacting for us with the data to just give us the answer rather than now, where we have to kind of interpret what our customers are saying and try to understand, OK, two months ago, this is what you were doing.

Again, with virtual reality, we can go into that.

And we can look at literally what they were doing at that time to understand what was happening in the moment.

So as with anything, more tech, more problems.

Even in 2019, many VR systems don't, by default, incorporate encryption in their systems, which, again, when we think of early markets and everything or the early cell phones, that is-- even nowadays, with the apps and things like that in the App Store, that's all not that far off from the mark.

But because of the amount of information that we're dealing with, because of the type of personal information that we're dealing with, these types of things become much greater, much bigger risk.

The interesting part about VR right now is that while you have some of those big players that we're talking about, you still have the traditional third party that provide a large number of the apps.

There still isn't a huge middle-to-large company set of traditional VR-AR players, other than the Googles and things like that.

And again, they're more worried about overarching things with these industries rather than specific use cases, in a lot of instances.

But something to think about, right, these third-party apps, they're usually-- and if anyone is a third-party app maker, again, I don't want to cast you in a bad light.

But a lot of the times these third-party apps, they usually have dubious security architecture.

Their policies are either small or nonexistent.

And their development practices are create something as quickly as possible to get it to market so that we can, again, make money on this.

And this opens up for a lot of different areas.

One of the things that was kind of looked at was a future malicious actor could do a lot of different things.

Let's just say we're talking about playing a game, a virtual or VR game Second Life.

I don't know if any of you are familiar with Second Life or anything like that.

But this is a good use case for that because you're creating a representation of yourself in a virtual world.

Now, a future malicious actor, where this type of thing is much more tied into the real world, maybe you have an actual citizen bio or something like that.

A lot of different things in the future could be tied to VR and AR systems for government, for industry.

So in this future we're looking at, a malicious actor might be able to copy your avatar, right, the digital representation of yourself.

And if we're linking large amounts of PII information to these things, that type of information will be harvestable by them.

And again, we were talking before about it's not just their social security or anything like that.

It's the fact that we know that this person, when they're trying to-- when they turn to the right, they have an issue with their hip, and they can't do it that fast.

It's these little things that by themselves don't necessarily mean too much.

But when you're able to harvest them, you can learn a lot about a person.

And for some people, that means you can learn how to help them.

But for other people, that means you can learn how to take advantage of them, how to exploit them.

And beyond PII, we're also talking about this technology is not just-- it's not just screens and keyboards.

We're talking about sensors.

These type of sensors on here are real good cameras I don't know if any of you are familiar with, but they're on par with the type of cameras that we're seeing in, not in your phones but in some of these lower-end video cameras that they're taking places, video cameras, which for gaming, that's pretty high quality.

That type of detail, when you're talking about I just need to be able to see within 10 feet or so of what's going on, is providing a lot of information to that.

So as we were saying, we're talking about your user movements, your speech patterns.

Future systems are having cameras that are embedded in the actual eye, around where your vision is.

And they're tracking your movement to see where you're looking and what you're doing.

So as we progress with these technologies, we're only going to get more sophisticated in understanding the abilities that are there.

And again, the things that you could do to take advantage of that and make it very difficult to identify an impostor.

If that imposter is-- if they can even do your facial tics or maybe you stick your tongue out after you say something, that level of detail is going to be able to fool not just companies, but your family and all sorts of different things.

So we talked a little bit about some of the things that-- some of the areas that VR was used in.

And this kind of talks to the extent of how integrated you can actually get with this.

So there's something called Virtual Reality Therapy, which is VRT.

And it's also similar to VRET which is Virtual Reality Exposure Therapy.

Now, this is what I was talking about earlier with things like PTSD or arachnophobia or any of these types of psychological or occupational types of issues that need to be dealt with.

Patients were able to navigate through digitally created environments.

And again, we're kind of going back to the ability for people to immerse themselves to a level that's comfortable but not-- enough that they are getting beyond some of their issues and things like with PTSD or any of that, but they're able to take these small steps.

And right now in traditional medicine, while you are seeing some of the ability to kind of have more detailed and very specific patient plans, the technology there is still-- it's not there yet.

But again, with VR and AR, now you're seeing a lot more stuff.

One of the big areas that we're seeing, and most people don't even realize, doctors and surgeons are actually using this already.

Some of the recent high-profile surgeries that we're seeing, especially when you see stuff with heart, any things where you have these complex organ structures, they're actually able to make super-detailed [?

virtual ?] models of this.

And then they're-- before they go into surgery, they're able to walk through this person's body, and they're able to spot things that they wouldn't necessarily be able to see when they're hovering over that person, and they have them opened up.

So again, the level of detail and everything that we're talking about now, this is an internal, right?

This is how your body organs are arranged.

These types of things can provide us with access to huge amounts of personalized medicine.

But we also still have to worry about what if some bad guy gets these.

So one of the challenges that we're talking about with VR and AR and things like that is that they can leave users isolated.

Right now with this type of traditional VR, you can see, it's going to be covering the entirety of your face.

It has headset, headphones that are also going to be covering entirely your ears.

And so you are immersed in that environment.

Now, future generations of VR and AR are incorporating front-facing cameras and everything.

So you're not going to just see single AR products or VR products.

A lot of them are going to try to do both.

With the newest generation of Oculus, the Quest and stuff like that that's coming out, that's one area that you'll see they'll have those front-facing cameras that will be used not only to track your movements, but also for you to be able to switch between what would be a virtual environment and hopefully a mixed environment or just to be able to look out upon the world as normal.

Now, when we talk about this type of stuff, we say it's a challenge.

But it also can be a very much malicious issue.

We're already seeing now researchers have already been able to kind of prove that you can do a lot of different things, either through just malicious software or even a DoS attack with some of these types of virtual reality programs, which require constant, persistent internet connectivity.

If you're just looking at disrupting, right, DDos still-- it's an old-fashioned technique.

But because these are still computer systems, it's still able to shut down.

Now, going a little bit further than this, is we're also talking about the malicious ability of users to get into some of these things, like sensors and everything.

Now, this is pretty unprecedented when you talk about how we interact.

Like right now, if someone takes over your computer, they can spam, a bunch of spam ads, that kind of stuff that pops up.

But in the cases that we're talking about now, especially in virtual reality, if someone takes over your virtual environment, that can be a lot more dangerous.

If you're in a room, right, that doesn't have a lot of things around.

And your virtual environment tells you that there's something there, or that there isn't something there when there is, you could be badly injured.

And if you're a malicious actor, again, we go back to how can I take advantage of this?

How can I get into their environment?

How can I make money off them?

And one of these ways is that, hey, if they take over that, they could injure and/or kill a person if they either take something out of that environment or incorporate something-- [CLEARS THROAT] excuse me, incorporate something that isn't there.

So we're talking about a AR and VR.

But part of this also that is also here is some of the embedded aspects of these technologies.

And you're starting to see this now, things with smart clothes, medical devices, even some types of cosmetics, things that you can do, where they're putting this into the skin.

They're putting this underneath-- they're putting it into the eyes.

They're augmenting parts of their body.

And even if you're a fan of Elon Musk, he's looking at even incorporating these neural links with the computer systems directly into the body.

This type of embedded technology can present as bad or even worse dangers than AR and VR because now we're incorporating things into our actual body.

But as we talked about with some of these other areas, the amount of data and the information that it makes available allow for a lot of different things, a lot of good that you can do with it.

One of the other things that we can talk about with this stuff is what happens when you feel like your body is spying on you?

What happens when you put a shirt on, and you feel like it is watching what you're doing?

So I think that's one thing that in the future, as people become more comfortable but also more aware of some of the things that AR and VR kind of deal with, they're going to have to start thinking about, all right, right now, when I have my computer on, someone has access to my video and my audio feed.

But what if they're able to see some biometric data, like where my eyes are looking, what my posture is, what my heart rate is when I look at certain pictures?

There's a lot of things that, again, if someone wants to, make a hacker's job easier to exploit.

Again, unless we're looking at this stuff like it is actually a security concern and not just information.

It's not just marketing information.

It's data about a person and their lives and how they live.

And if we don't understand that, then we're already going to be behind the hackers and the malicious actors who-- again, they know that.

And that's why they think it's interesting.

That's why they think it's valuable.

So devil's in the details, right?

There's a lot of different things.

What you see here in this picture over here, this is actually the Oculus Rift barrier system.

So when you're in Oculus Rift, they have a barrier system that you will denote whatever your play area is, the size.

And you can denote a boundary that shows, OK, if I move beyond this, this virtual image will come up and show me that hey, I'm getting to the edge of my area.

These types of things, you would think, well, that makes sense.

But Oculus had to learn the hard way after people were injuring themselves because they were running into walls and things like that.

And so the devil really is in the details for a lot of these things.

VR headsets, they have live mics, and they're recording all the different conversations.

And that's not just your conversations.

That's your wife yelling at you to get off your VR headset.

That's your kids in the background.

It's listening to all that.

With some of the different sensors and everything, you're talking about, again, we're tracking what you're doing.

With the different types of cameras and everything, we're not just talking about a live, like a traditional picture.

Some of these are heat cameras.

They're able to see your body, again, how your body's moving, what you're doing.

And so you're not talking about a level of detail that is something that someone's going to have to spend years and months trying to get.

With new systems now showing up in-- Playstation 4 now has VR.

Oculus Rift now with the Quest is seeing a much wider acceptance among people, because, again, you don't have to plug in.

This access level for hackers is going to get much wider.

The pool of candidates and victims is only going to increase.

And the ability and attack services are only going to increase as they get smarter, as the sensors get better, as the cameras get sharper, as the detail and the clarity pick up.

So this is kind of just a fun little spot the issues here.

So what we're talking about here is the Oculus system.

We've been talking a lot about different sensors.

Each one of those little dots is a sensor.

It's a camera.

It is a tracking sensor that we're talking about.

And so this is one of the things that because people were creeped out by it, Oculus ended up wrapping their system up in some nice coverings so that it blocks people from seeing that.

But these types of things are what lies underneath.

These are how they're able to get these immersive environments.

And this is kind of where the problems are also going to lie because, again, that's one of the main areas that you're harvesting data and the environment around you.

We talked a little bit about hacking a person's environment.

And this is the kind of thing that you would normally see on your desktop when you were hacked.

But this is also type of thing now that shows up within the Oculus environment.

People like their phones, like to side load apps and everything.

And so you're still seeing that malicious type environment.

And this one is just a personal favorite of mine.

I don't know how many people here remember the Xbox Connect.

So for all of you that are unaware, the Connect was, again, it was a very early form of some of these AR-VR-type cameras that were allowing people to interact with their video games in an immersive way.

The interesting thing about this is that when this product first came out, the level of detail on the cameras was so scary that Microsoft ended up having to change the color output from the detailed type of picture that you would see to a green hue.

So that people were less creeped out by the fact that they could see such detail with this type of stuff.

Now, for those of you not aware, the Connect really didn't do that well as a product for Microsoft, at least in the consumer market.

But they repurposed it.

And this camera is actually used within a terminal airport.

It's being currently used by airport security as a way to take virtual pictures basically as people are flowing through so that not only are you getting cameras and video, but they are able to get a virtual representation of what someone looks like coming through.

And this can be helpful in things like height, movement, gate, tracking criminals and that type of stuff.

Again, it's allowing them an unprecedented level of detail.

So some things in the news that you may or may not be aware of.

So one of the reasons why I find VR so interesting is that it, especially recently, we're starting to see now the security aspect of this stuff really become front and center.

Within the last about month or so, security researchers actually were able to find critical vulnerabilities in three different virtual reality applications.

There's Valve SteamVR, High Fidelity, and VRChat.

And now for those of you not aware, these are actually very large used VR-based programs that see a huge number of users on a daily basis within their respective environments.

This ability is kind of what we were talking about before.

When you're in these immersive environments, you're trusting what you see on the screen is what's going on.

You trust that if this barrier system comes up, that that's where that barrier system is.

And so the ability of hackers now to get into these things and manipulate users' reality is going to become a huge issue in terms of safety and everything, and also in terms of future areas like phishing.

If you're able to replicate a virtual environment to a level of detail that we're seeing now, then you're going to be able to replicate virtual environments by other companies who aren't malicious actors.

And so that's another level of detail that we're going to have to worry about.

We're going to have to prove, in a lot of these virtual environments, that we are the trusted person that we say we are.

And right now, there really isn't anything that kind of does that.

We're also seeing-- so because we're in cybersecurity, we're seeing a huge amount of AR adoption specifically.

VR not yet so much, because, again, it's an immersive environment.

But AR, things like the Lens, is providing a level of usability with this type of data that, again, hasn't been seen before and usually is only available to people who have a large number of years of experience in fields.

So we're exposing a lot more things with this.

Now, this also talks about some of the areas that we need to work on as well.

And I kind of touched on a few of these already, but things like the innovation, right?

The ability of hardware is far surpassing the ability of course our legislative.

That still hasn't caught up with computers yet, let alone AR and VR.

But all these types of things that we brought up today, they are very pertinent issues.

That as VR get bigger and larger, we're going to need more preparation.

We're also going to need things like common standards.

You are seeing some of these standards right now for stuff like VR.

For any people who are familiar, there's a web standard called Web VR that you can use to program your own web pages and everything so that there is a VR ability.

It's still very basic.

But it's those types of things that are going to provide a common basis that users can understand and hopefully kind of develop security practices from them.

Some kind of hardware issue, though, that we're still dealing with, persistent connectivity gap.

In most places around the world, you don't have persistent internet connectivity.

And with they AR and VR, the ability of these systems to operate within a local environment without having to connect to the internet for long periods of time to access data and things like that, that's got to be paramount for that explosion to continue across different industries.

And last really issue is just exposure and source issues, right?

It's getting these things into people's hands so they can use it and understand like, holy crap, I've been doing this.

This has been taking me-- we talk on Monday about the Lens, right?

You go from 85 minutes to And with this VR, you can go from 5 minutes to 10 seconds with some of this stuff because you're wrapping it all up in movements and things like that.

So with this type of stuff, we're really just looking at more exposure to people and to sources so that we can get a better idea of what people's problems are that they want to fix.

This is just a real quick one here.

So I like to put this in because it is an example of the real-- or the virtual worlds spilling out into the real world.

For any people who played Warcraft or anything like that, there's is something called the Warcraft Corrupted Blood plague.

The Corrupted Blood plague was an incident that began on a Warcraft server in 2005 and lasted about a week.

And what it was, was there was an in-game-- basically an in-game goal that was there, that when you were hit by this type of weapon, it caused a corrupted blood.

But what happened is that instead of just being localized to an area, it spread.

And it spread in such a way that researchers actually use this as a model now because it very much modeled the spread of a viral infection that they see in the real world.

And so this is kind of one of those areas that we talk about VR is not-- VR is still virtual.

But it is going to become part of our world.

And so incidents like this, while we may not have a blood plague with all our devices, that level of malware and viral corruption is still possible and something that we all will need to think about when we talk about interacting, again, with other devices and environments and, again, just how we use the products and what we allow people to do with them.

And I also like to talk about this as well.

So for those of you who are familiar with Wargames, this is an example of the real world being informed upon by movies.

So for those of you not aware, Reagan actually saw the movie Wargames.

And he asked his advisors, is this possible?

And his advisors went out, and they came back to him, and they said, no, it's even worse than this.

And especially with VR and computer and things like that, that is the level that we need to kind of approach it with.

Reagan's question actually led to what eventually became the Computer Crimes and Fraud Act.

So that was part of the impetus behind developing that legislation.

So what people see and what people think about VR, we think, oh, that's funny.

That's interesting.

But it can have real-world effects that, if we don't get ahead of it, can be detrimental not only to the security, but also to the industry as a whole.

It's another type of security that we can provide.

And again, it's a whole new type of data that is possible to be exposed.

So what does it all mean?

So again, the future of AR and VR, it's not any specific industry.

It's not any specific company, source, or platform.

But it's a wide array of things.

And this is why we need to, as I was saying, understand them and figure out what are they doing, how are we using them, and what are the implications if someone starts to use this in a nefarious manner?

Now, as I was saying before, it's already here, right?

Anomali Lens is already an AR product.

It's already something that is being utilized.

It's the most basic form of AR.

But as we continue to move forward, that level of ability, that level of data is going to be available to all of you and not just cybersecurity, but in life as a whole.

So you really have to ask yourself, are you ready for this type of malicious reality in the future?

Well, thank you all for coming to this.

I appreciate it.

And enjoy the rest.

About Detect LIVE

We believe that threat intelligence holds the promise of allowing organizations to better manage risk and develop resilience. Detect LIVE, brought to you by Anomali, is a virtual event series that provides a platform for security executives, practitioners, and researchers to share insights and experiences related to threat visibility, detection, and response.