Virtual Reality (VR) technologies are increasingly employed in numerous applications across various areas. Therefore, it is essential to ensure the security of interactions between users and VR devices. In this paper, we disclose a new side-channel leakage in the constellation tracking system of mainstream VR platforms, where the infrared (IR) signals emitted from the VR controllers for controller-headset interactions can be maliciously exploited to reconstruct unconstrained input keystrokes on the virtual keyboard non-intrusively. We propose a novel keystroke inference attack named VRecKey to demonstrate the feasibility and practicality of this novel infrared side channel. Specifically, VRecKey leverages a customized 2D IR sensor array to intercept ambient IR signals emitted from VR controllers and subsequently infers (i) character-level key presses on the virtual keyboard and (ii) word-level keystrokes along with their typing trajectories. We extensively evaluate the effectiveness of VRecKey with two commercial VR devices, and the results indicate that it can achieve over 94.2% and 90.5% top-3 accuracy in inferring character-level and word-level keystrokes with varying lengths, respectively. In addition, empirical results show that VRecKey is resilient to several practical impact factors and presents effectiveness in various real-world scenarios, which provides a complementary and orthogonal attack surface for the exploration of keystroke inference attacks in VR platforms.

翻译：虚拟现实（VR）技术正日益广泛应用于各领域的众多应用中。因此，确保用户与VR设备之间交互的安全性至关重要。本文揭示了主流VR平台星座追踪系统中存在的一种新型侧信道泄漏：VR控制器为控制器-头显交互所发射的红外（IR）信号可被恶意利用，以非侵入方式重建虚拟键盘上的无约束输入击键。我们提出了一种名为VRecKey的新型击键推断攻击，以证明这种新型红外侧信道的可行性与实用性。具体而言，VRecKey利用定制的二维红外传感器阵列截获VR控制器发射的环境红外信号，进而推断（i）虚拟键盘上的字符级按键，以及（ii）单词级击键及其输入轨迹。我们使用两款商用VR设备对VRecKey的有效性进行了广泛评估，结果表明其在推断不同长度的字符级与单词级击键时，分别可达到超过94.2%与90.5%的Top-3准确率。此外，实证结果表明VRecKey对多种实际影响因素具有鲁棒性，并在多种现实场景中均表现有效，这为探索VR平台中的击键推断攻击提供了一个互补且正交的攻击面。