FAQ:

What game engines are affected?

The main one tested was Unity3D, but to my knowledge, no game engines actually check for content integrity of what they load, so I would venture to say (damn near) all of them. Unity was just the one with the widest hardware support and easiest to test on. Throw in things like A-Frame and React VR, ohhh my.

I have [device], does this affect me?

The hardware is irrelevant, this is a software implementation level issue in game engines. The attack is honeybadger toward the hardware. It doesn’t give a shit what hardware you have.

Does this have a logo?

No; if someone wants to donate one though...

Really? Game engines? Virtual Reality? Augmented Reality? Hacking that of all things instead X?

I like to take the Feynman approach.

“Study hard what interests you the most in the most undisciplined, irreverent and original manner possible.” — Richard Feynman

Also, the Dual Core approach:

You said you Mei-n Mei in Overwatch, was the name intentional?

Abso-goddamn-loutely. I came up with the acronym and then invented the attack for the acrynom. If you believe that I have a bridge to sell you for 9001 bitcoin.

Isn’t this just a Man in the Middle attack?

This was one of the big things I wrestled with before dropping this. For this demo, yes. That being said, the core fundamental here isn’t about MITM as that can be substituted with others, but about fucking with the user’s sense of reality around them. This isn’t an attack on the software, but an attack on the wetware through the software. This is social engineering the target through injecting the entities, so while the actual attack seems “meh” on a technical level, the actual implications go much further and are separated from only being technical.

What’s next?

Fuck if I know. I will say that 2018 is going to be *very Ghost in the Shell* when it comes to XR infosec. I do have a few more things in the works in the XR security space, each more Ghost in the Shell than the last. In 2012 I set out to make Ghost in the Shell tech real (which was a big part of why I went full infosec/XR instead of gamedev) and I’m still on that path. 2017 was the year cyberpunk really started becoming a bit too real in the plain view of the normies (it always was cyberpunk for those paying attention) and for better or worse, 2018 will be Cyberpunk As Fuck.

How can I help?

Depends, if you mean help the cause, hunt more vulns in XR apps and devices. Help seek out new vulns and new pwnage, to boldly pwn where no hacker has pwned before. It’s better to pwn it now so it gets fixed now, than to let it become a problem later. Drink all the booze, HACK ALL THE THINGS!

If you mean help me, I’ve been unemployed since February 2017 and I could use a job or contract work to keep the lights on. Also, if you’re a XR hardware manufacturer I could use hardware to work with as well, more gear is always welcome and opens new doors. Money’s dwindling and gear is expensive. I am working on another project as well, a tool called NAVRIE but I’m not going to rush it and I want to get it right. XR still needs time to evolve and bad content will taint the medium in the public eye; shovelware will kill my favorite medium and I can’t contribute to that happening. I might release a 2D version in the meantime. A quote sums up how I feel about that project: “A delayed game is eventually good, a bad game is bad forever.” ~ Shigeru Miamoto

Donations are also a thing and would really help with funding research and development given how expensive this stuff is to develop, although I hate even having to ask for that.

Paypal: https://paypal.me/pclemenko

Patreon: https://www.patreon.com/pclemenko

BTC: 1ARpJBfSGyBezWqRjkufQ91y4gP9PrsSp1

LTC: LcmSeHrXbH21ecyrDg7PuNYN48SNX2LSSY

ETH: 0x42dd5E9c712d58694Af63E4C963F62FED4ad55Ec

Is there more coming?

This is only the beginning. I still have a lot of work to do. Besides, given everything considered there’s a quote I think is more appropriate than normal… “Our world is worth fighting for” ~ Mei-Ling Zhou — Overwatch

You were warned

Afterward

A little bit of clarification as to why this took months to drop, and why I sat on this for so long. Besides waiting on con talk CFP status for this (all four cons rejected the talk), a bug bounty that got rejected, and hardware; the biggest factor was uncertainty. When I was developing this attack, I thought it was awesome, I finally created the Laughing Man attack from Ghost in the Shell. The problem is, this was so niche, so hard to describe, so weird, so odd, so esoteric, and so edge case and specific in scenarios that I thought this would be invalid. The more I looked at it though, in current software and hardware, this is very edge case and not realistic but in the coming years this will be standard affair. As for the name, I kept doubting the injection aspect of the name, as it felt more like side-loading or swapping an asset instead of actually injecting anything. The more I thought about it though this felt similar to another vector commonly used in malware, DLL Injection. This is just DLL Injection with game engine content instead of a DLL, and yes it can lead to RCE in some situations. The other thing I kept thinking was this was literally just using the stuff that’s already on the app, is that really an RCE? Well, if you look at pretty much anything involving modern red teaming, the favorite tactic is to live off the land and use the existing software on the system to do your dirty work. For a long time I held back because I was unsure, I felt like a phony and captain obvious for bringing this up. The more I think about this though, this is what a red team would do to attack XR. I can’t help but think that in a way this is just that god damn obvious. After Meltdown and Spectre I made the final call though, the reason why is because those things went unfixed for so long that damn near every modern system is vulnerable to those two attacks. If I can help get this fixed across the board early so it never becomes a major threat, that’s what I want. What I don’t want is this going under the radar and people get hacked in critical moments that could potentially get people killed. My concern here really isn’t data, it’s the wetware using the XR device. I want this fixed at the root cause to save those lives.