Recent advances in virtual reality (VR) system provide fully immersive interactions that connect users with online resources, applications, and each other. Yet these immersive interfaces can make it easier for users to fall prey to a new type of security attacks. We introduce the inception attack, where an attacker controls and manipulates a user's interaction with their VR environment and applications, by trapping them inside a malicious VR application that masquerades as the full VR system. Once trapped in an "inception VR layer", all of the user's interactions with remote servers, network applications, and other VR users can be recorded or modified without their knowledge. This enables traditional attacks (recording passwords and modifying user actions in flight), as well as VR interaction attacks, where (with generative AI tools) two VR users interacting can experience two dramatically different conversations. In this paper, we introduce inception attacks and their design, and describe our implementation that works on all Meta Quest VR headsets. Our implementation of inception attacks includes a cloned version of the Meta Quest browser that can modify data as it's displayed to the user, and alter user input en route to the server (e.g. modify amount of $ transferred in a banking session). Our implementation also includes a cloned VRChat app, where an attacker can eavesdrop and modify live audio between two VR users. We then conduct a study on users with a range of VR experiences, execute the inception attack during their session, and debrief them about their experiences. Only 37% of users noticed the momentary visual "glitch" when the inception attack began, and all but 1 user attributed it to imperfections in the VR platform. Finally, we consider and discuss efficacy and tradeoffs for a wide range of potential inception defenses.

翻译：虚拟现实（VR）系统的最新进展提供了完全沉浸式的交互，将用户与在线资源、应用程序以及彼此连接起来。然而，这些沉浸式界面可能使用户更容易遭受一种新型安全攻击。我们提出了"盗梦空间攻击"（Inception Attack），攻击者通过将用户困在一个伪装成完整VR系统的恶意VR应用中，从而控制和操纵用户与其VR环境和应用程序的交互。一旦被困在"盗梦空间VR层"中，用户与远程服务器、网络应用程序及其他VR用户的所有交互都可能在用户不知情的情况下被记录或修改。这不仅使传统攻击（如记录密码和动态修改用户操作）成为可能，还引发了VR交互攻击——借助生成式AI工具，两位交互的VR用户可能体验到截然不同的对话。本文介绍了盗梦空间攻击及其设计，并描述了我们在所有Meta Quest VR头显上的实现。我们的实现包括一个克隆版Meta Quest浏览器，它能够修改向用户显示的数据，并篡改发送至服务器的用户输入（例如，修改银行会话中的转账金额）。实现中还包含一个克隆版VRChat应用，攻击者可以窃听并修改两位VR用户之间的实时音频。随后，我们针对具有不同VR体验的用户开展研究，在用户会话期间执行盗梦空间攻击，并在事后告知用户相关体验。仅有37%的用户注意到攻击开始时出现的短暂视觉"异常"，除1人外，所有用户均将其归因于VR平台的缺陷。最后，我们考虑并讨论了多种潜在盗梦空间防御方案的有效性及权衡。