One of the more overlooked verticals in the global extended reality (XR) industry is the rise of cybersecurity risks, where looming threats from multiple actors could potentially pose major challenges.
Numerous groups, from consumers, analysts, companies, and governments, are working to address these novel concerns over key issues such as biometrics, data, security breaches, privacy, and data ownership. Preparing for these challenges as they arise is key to securing the future of immersive tech.
For our XR Today round table, we are pleased to welcome:
- Roger Hale, Chief Security Officer at Agora
- Jason Ingalls, Founder and Chief Executive at Ingalls Information Security LLC
Our panellists will discuss the current trends in cybersecurity, concerns over consumer and enterprise-level cybersecurity risks, and efforts to secure global standards and interoperability in XR security.
XR Today: Which forecasted trends you have identified about cybersecurity in XR? How will they differ from typical security breaches?
Roger Hale: Biometric, virtual, and digital identities will take over, giving the average consumer new ways to interact with each other and log in to XR services aside from a traditional password.
While these new methods can be strong, XR can open opportunities for bad actors to duplicate speech patterns, stored biometrics, and user behavior data, which, in turn, can be used for malicious purposes.
Whereas now many security attacks are socially-engineered to obtain login credentials, breaches in the XR space could potentially be much more personal and fallout more severe if these new identifiers aren’t protected.
Jason Ingalls: The use of XR devices presents an additional layer in the typical cybersecurity risk model (device integrity) and an additional class of data that must be considered (XR data).
The devices used to create immersive XR experiences collect very specific information about us and the immersive experiences they create are implicitly trusted by users.
Data created by peripheral devices such as headsets and tracking systems contain details about how individuals use them, and this data is easily tagged with personally identifiable information about the user interacting with the device. These details get generated as a person uses XR technology.
Also, users must trust the integrity of devices and applications creating the immersive XR experience to provide basic, yet critical inputs our brains interpret to maintain balance, identify the directionality of audio cues, and trick us into suspending our disbelief that we are experiencing another reality.
Physical illness due to nausea and other symptoms can manifest if the fidelity of eye tracking, positioning, display, and audio cueing is disrupted or not synchronized appropriately.
I believe that, between the data that XR creates and the experience itself, XR cybersecurity threats will evolve along two axes: XR data confidentiality and system integrity. It’s also worth noting that the availability of XR computing devices can and should be considered as a tertiary cybersecurity objective.
Components like wireless channel congestion for Bluetooth signals and laser emitters for certain tracking systems can disrupt XR devices, but the environmental cybersecurity controls where XR devices are used can be relied on in most cases to achieve the requirements of availability.
XR Today: How can the average consumer protect their data and privacy on an XR device? What are enterprises doing to prepare?
Roger Hale: Basic internet-of-things (IoT) protections are still a strong way to protect consumer data as it makes compromising login credentials more difficult for bad actors if they don’t have access to a user’s physical device.
To prepare, enterprises must configure and ensure that devices are not only unique, but allow privacy and security to be uniquely managed at the device. Users must treat XR devices with the same level of protection as their mobile phones or other mobile devices.
Jason Ingalls: Consumers should practice good cyber hygiene such as not using devices on public Wi-Fi, not sharing headsets and other peripheral devices with people they aren’t familiar with and trust, and using good cybersecurity risk management controls for their tech stack.
You can think of XR technology as a layered cake of systems that trust lower-level systems to deliver the data and performance necessary to create the XR experience.
For example, a VR headset that is connected to a high-performance graphics card relies on the operating system of the PC hosting the graphics card. This allows it to connect to the card, host the application that is running in the headset, and for all network connections to other systems that may have data or keep track of the XR experience such as cloud servers.
Enterprises must secure that stack by protecting all these systems. Servers should be trusted and protected by enterprise-grade cybersecurity controls, workstations and operating systems should have next-generation antivirus that includes behavior-based anomaly detection, and patch management to ensure that all computing assets are up to date with the latest security patches.
Finally, networks should either be trusted or VPN technology used to connect between two trusted networks, for example, such as the PC and cloud environment.
Consumers can rely on automatic updates and modern anti-virus technology to manage most of the risk of operating PCs and XR devices, but enterprises should follow a cybersecurity framework that implements a series of effective controls in a defense-in-depth strategy to manage risk.
Enterprises can refer to the NIST Cybersecurity Framework or the Cybersecurity Maturity Model Certification for guidance on implementing effective controls.
XR Today: Do you work with global or regional organizations to address cybersecurity? What support do they provide?
Roger Hale: At Agora, we’re currently working with regional standards for XR in China to develop the protection standards to incorporate into China’s XR data protection framework.
As these devices are adopted more around the world, we expect other businesses and nations to reach out to the private sector to build out additional security frameworks in this growing space.
Jason Ingalls: We partner with several organizations to evaluate, test, and deploy cybersecurity controls that are effective at managing risk for XR systems. There are nonprofit organizations like the Cyberbytes Foundation researching XR cybersecurity, and organizations like NIST and the IEEE that have working groups addressing the risks XR devices present to stakeholders.
These organizations understand the rapidly changing landscape of XR usage and evaluate the various types of risk that these systems present, create, and that must be addressed to be effectively managed.
My firm consults with these organizations to understand how to leverage good cybersecurity risk management strategies in our XR software development and to advise other companies and organizations on developing best practices for XR.
XR Today: Are there any concerns related to data flows between organizations, countries, or businesses?
Roger Hale: Current data privacy regulations have provided the foundation for data flow management and third-party and supply chain management for data protection. Regional data privacy regulations are assuring this is being addressed today.
Jason Ingalls: There are many concerns related to data and XR usage, namely that these systems create a potential treasure trove of data, but one can break down these concerns into manageable buckets, depending on what they are using XR technology for and whether you are using XR that is networked or not.
Firstly, if you are using XR for local processing and experiences that aren’t internet-connected, your data protection requirements are several orders of magnitude less complicated than otherwise.
Locally-processed XR applications can be used with confidence that data isn’t at risk if network connections are disabled, or network rules prevent XR systems from communicating with other networks or systems that are gateways to other networks.
If your XR system does require networking to function, then one must ask, “what is the nature of the data that is being manipulated, and what part of the data being created, stored, processed, or transmitted is most sensitive?”
If a user is enjoying an XR experience in a multiplayer game, then their XR data itself is probably the most sensitive. However, if the user is working on sensitive information, then additional data security controls must be considered when designing and using such a system. Again, NIST and the CMMC risk management frameworks and guides can provide guidance here.
Finally, for systems that are cloud-native and use community cloud compute resources that are international, understanding the data privacy laws of the location where the XR system is in use, and the compliance requirements of any system where the data that is being sent is critical to ensure that user’s XR data is protected at a level that meets these requirements.
XR Today: What kind of interoperability currently exists to protect them, and what more could entities do to ensure the free flow of information?
Roger Hale: The growth in XR will expand the sharing of sensitive data so the growth of supply chain management monitoring and compliance will continue in tandem.
Individuals can do more to hold businesses accountable for data sharing with XR partners and affiliates. For the average consumer, they should continue educating themselves on new security risks that come with XR and take time to understand what consent you are giving as you enter into the XR universe.
Jason Ingalls: In my experience, commercial organizations selling XR systems, applications, and other components of XR technology are aware of data protection requirements and are proactive to ensure consumers are aware of, and accept the terms of, use and data privacy standards that these firms adhere to.
Generally-accepted principles may differ based on laws where each firm operates, but there are some common tenants about how user data is collected and analyzed. I encourage all users to read and understand any XR technology’s collection of user data before using the technology.
Regarding the free flow of information, I don’t really see much to prevent it, other than commercial interest to collect and analyze data for competitive advantage, and data privacy laws that must be adhered to.
That said, organizations should use open standards in their XR technologies so that data is created, stored, processed, and transmitted using a generally understand method to reference by an open-source standard or application that is freely available for analysis wherever possible.
We are still very much at the beginning of our adoption of XR technology as a civilization, which is like any tool where its usefulness will determine its long-term value to users, and it can be misused as easily as it can be put to good use. It’s up to us all to help steward this new technology towards useful, beneficial, and benevolent adoption.
