AR & VR Headsets: Endless Possibilities or the End of Privacy
With recent advances in VR headsets and the continued rapid advance of AR, its important to understand the impact on privacy and potential concerns that arise as a result. We explore the security and privacy issues of AR headsets, implications on the privacy policies from Apple and Meta, and explore safety measures that can help to protect your personal information while using VR and AR headsets.
With new advancements, the popularity of augmented reality (AR) headsets and virtual reality (VR) headsets continues to rise. According to a recent Statista report, the VR industry is projected to experience significant growth, with the global VR market size projected to increase from less than 12 billion USD in 2022 to more than 22 billion USD by 2025. As more individuals adopt VR headsets, the potential for cybersecurity vulnerabilities and exploits also increases. With the highly anticipated Apple Vision Pro and the Meta Quest 2 (formerly known as the Oculus Quest 2) soon to be in the hands and on the heads of millions of new users, it’s a good time to look at the cybersecurity risks associated with both AR headsets and VR headsets.
Data Privacy Concerns
VR and AR headsets collect sensitive user data, including biometric information, location data, and user preferences. Inadequate security measures or unauthorized access to this data can lead to privacy breaches and identity theft. And while the makers of VR and AR headsets insist their devices can’t be hacked, LSU Media Center researchers have shown that VR devices are most definitely vulnerable to privacy and security risks.
VR Headset Security and Privacy Issues
VR headsets like the Apple Vision Pro, PlayStation’s VR 2 and Meta’s Quest 2 completely take over your vision and make you feel like you’re somewhere else—in a virtual world or reality. They also collect highly personal data. Here are some concerns and security threats to consider:
Biometric Data: VR headsets collect unique personal data through iris scans, fingerprints and voice prints. Criminals can use stolen or leaked biometric data to login as someone else and access sensitive information.
Voice Phishing: Apple’s Vison Pro VR headset utilizes voice command functionality that can leave users vulnerable to voice phishing or “vishing”. Cyber criminals can extract speech content to access highly sensitive information like PIN numbers, passwords and financial information. Scammers can also copy and mimic a user’s voice to trick people close to them into sharing personal details.
Deepfake Threats: Motion-tracking data collected from VR headsets can be used to create near-perfect deepfake content. Criminals can recreate a user in VR environments and have them do whatever they like—spread misinformation and create security risks by making themselves vulnerable to identity theft, fraud and cyberattacks.
Physical Safety: Because VR is immersive, interactive and blocks a user’s connection to the outside world, accidents are bound to happen. The Wall Street Journal reports that physical injuries are on the rise with the growing popularity of VR headsets.
AR Headset Security and Privacy Issues
AR headsets like the Microsoft HoloLens and the Google Glass enhance or “augment” reality by adding digital images, sounds and even scents to real world experiences. This raises concerns about potential privacy breaches if hackers gain access to AR headsets. Here are some concerns and security threats to consider:
Unreliable Content: AR relies on third-party vendors whose content may be misleading or false. Cyber threats and data manipulation can further undermine content reliability.
Social Engineering Attacks: Cyber criminals can use AR to distort a user’s perception of reality to trick them into compromising themselves and/or revealing personal information.
Network Credentials Theft: Criminals can steal network credentials from Android wearable devices that are used with AR headsets. If users store credit card details and mobile payment solutions in their profiles for AR shopping, they’re at risk. Thieves may gain access to these credentials and silently deplete accounts, taking advantage of the seamless mobile payment procedure.
Denial of Service Attacks: If an AR headset is hacked, critical information streams can be disrupted. With engineers, doctors, repair technicians and other professionals using AR headsets for work, this kind of disruption can have serious consequences.
Even More Data Privacy Issues
Facial Movement and Eye-tracking Technologies: Meta’s Quest 2, has inward-facing cameras that track a user’s facial expressions and eye movements. This is incredibly valuable data that may be processed and stored on Meta servers. Meta’s privacy policy states VR headset data is subject to their own terms and privacy policies. This means Meta can use that data to influence what you purchase or consume based on your facial expressions.
Malware: Cyber thieves can embed malicious content in ads, leading unsuspecting users to click on them. These ads may direct users to hostage websites or malware-infected servers, resulting in unreliable visuals and compromising the security of augmented and virtual realities.
Ransomware Attacks: In 2022, cybersecurity research company ReasonLabs published data on “Big Brother”—a new malware attack that can record the screen of a VR /AR headset and send the recording back to the attacker. The attacker can then threaten to release the recording unless a ransom is paid.
Firmware and Software Vulnerabilities: As with any technology, VR/AR headsets may contain firmware or software vulnerabilities that cybercriminals can exploit
Other Considerations
Cyberbullying: Online harassment and bullying can be more severe in a virtual or augmented reality. A recent New York Times article outlines how abusers could target children through chat messages or by speaking to them through headsets, actions that are difficult to document. Cyberbullying is often used to intimidate people of all ages into revealing personal information. This leads to exploitation.
Health Risks: A recent study from Oregon State University found that AR/VR headset use “poses potential physical ergonomic risk factors which are associated with musculoskeletal discomfort and injuries especially in the neck and shoulder regions”. There’s also growing concern over reported headaches, eye strain, dizziness and nausea after using headsets.
Privacy Policies
So, what are VR/AR companies doing to address these privacy and data concerns? Let’s look at how the two biggest players, the Apple Vision Pro and the Meta Quest 2, are addressing the issues:
Apple Vision Pro Privacy Policies
Apple has a fairly solid reputation for managing users’ privacy. Along with new privacy and security features announced in June 2023, here are some of the ways Apple’s addressing privacy concerns over the Apple Vision Pro:
- Optic ID uses the uniqueness of an eye’s iris to authorize purchases and unlock passwords.
- Optic ID data is encrypted and never leaves a user’s device
- Eye input is not shared with Apple, third-party apps, or websites
- Data from cameras and sensors is processed at the system level, so individual apps do not need to see your surroundings
Meta Quest 2 Privacy Policies
Meta AKA Facebook has a bit of a tarnished reputation when it comes to respecting and protecting user data. The privacy policies of the Meta Quest 2 aren’t as clear as the Apple Vision Pro, however Meta promises more transparency with the Quest:
- Users no longer require a notorious data-collecting Facebook account
- New Privacy Tab informs users what data is being collected
- Meta is said to be working on improved parental controls since they lowered the age restriction for young users from 13 to 10
- Data collected from young users will used to deliver “age-appropriate experiences” but will not be used to serve ads to children
- Parents can delete their children’s profiles and data
How to Use VR Headsets and AR Headsets Safely
While headsets like the Apple Vision Pro and Meta Quest 2 open doors to captivating virtual experiences, it’s crucial to be aware of the cybersecurity risks they pose. By understanding these risks and implementing appropriate security measures, you can enjoy the many benefits of VR and AR technologies while safeguarding your personal information.
Update your VR headset regularly. Software updates contain important security patches and features. It’s important to stay up to date. Cybercriminals certainly are.
Limit who can see your activity. Familiarize yourself with the privacy settings of your VR headset and adjust the default settings to control who can see when you’re online and what you’re doing.
Disable voice commands. This may be a bit of a tough sell as the voice commands can unlock so many cool features on a VR headset, but it’s worth considering. It’s a way to limit the data being collected and protects you from vishing.
Stay informed. It’s important for consumers to be proactively aware and informed of today’s online safety and cyber risks – the dangers will not be diminishing anytime soon based on the latest cybercrime trends and predictions. Staying up to date is easy, as local and national news programs regularly cover cyber and consumer safety events in their segments. We also recommend that you make it a habit to visit and follow GetCyberSafe.ca or the National Cyber Security Alliance resources page to stay informed about online safety trends and threats.
Prioritize good cyber security. Practice regular password hygiene, set up multi-factor authentication (MFA) and minimize sharing personal information online. For example, if you hit social media to post a photo of the new VR headset you got for your birthday, you’re giving cyber criminals some juicy information. They’ll not only know your birthdate, but they’ll be aware of a fun new device they can exploit to learn more (about you). Install high quality anti-virus on all your devices and always keep it up to date.
Use a VPN. A virtual private network (VPN) helps protect your privacy when you’re connected to the internet by hiding your location and IP address.
Invest in online safety tools and training for your family members. provides an engaging way to train your family members and kids about online safety and deliver cyber awareness training to prevent breaches helping protect your network via cyber-resilient kids.
Buy Cyber Insurance for Your Home
Our Cyberboxx Home all-in-one cyber insurance coverage predicts threats, prevents breaches and insures against online safety and cyber risk events at home. Also included is access to our BOXX Hackbusters incident response team, protection against cyber bullying extortion and more.
Related posts
Sign up for the BOXX Insurance Newsletter
Get the latest updates about Cyber Insurance and Protection with our newsletter.