• by Colin Kirkland , Staff Writer, January 19, 2022

On Christmas Day, Meta’s mobile companion app for its Oculus virtual reality (VR) headsets like Quest 2 was the most-downloaded app in the U.S. According to Apptopia and Sensor Tower data, the app's popularity has not decreased and it has been downloaded over 2 million times since.

With the Oculus a popular gift, especially for children, some cybersecurity experts are voicing potential privacy concerns.

NordVPN, for example, which provides virtual private network (VPN) services to help people protect their online identity, in a recent statement detailed a series of potential threats that parents and consumers should be aware of with Quest 2 Oculus headsets.

“As with every new technology, manufacturers want to jump on the train as soon as possible,” said Daniel Markuson, NordVPN digital privacy expert. This rush, he believes, may result in a lack of oversight, allowing hackers to easily take advantage of consumer vulnerabilities. “Since children usually poorly understand the possible risks, they are the perfect targets for cybercriminals,” added Markuson. 

NordVPN’s statement cites involuntary data collection as the most troublesome virtual reality privacy issue. This includes biometric data such as eye scans, fingerprints, face geometry, and voiceprints. 

“It is nearly impossible to stay anonymous while using VR,” the statement reads. Based on a study from 2019, it notes that the behavioral and biometric information collected by most headsets can be used to identify users with very high accuracy.

More specifically, NordVPN covers three categories of privacy breaches it believes children will be most susceptible to when gaming with Oculus: identity theft, social engineering, and real-world harm.

A recent survey conducted by NordVPN showed that 28% of all Americans reported having been victims of identity theft just this past year. NordVPN believes that VR games connected to social media accounts present easy access for hackers to steal birth dates, places of residence, and even bank account and credit card information.

However, even without connectivity to Facebook sites, Facebook's parent company Meta will still be collecting user data. This is a troubling issue, after Business Insider reported in April 2021 that 533 million Facebook users’ personal data was leaked online.

The combination of potentially hacked biometrical and behavioral data through a VR device may result in real charges through user accounts.

“Deepfakes” -- synthetic media in which a real person is replaced with another -- is an additional hacking threat that NordVPN finds concerning. With a user's motion-tracking data, hackers can carry out a social engineering attack by pretending to be someone else in a VR game.

Children in particular may be most vulnerable to this kind of attack because of their tendency to divulge personal information to people they think they know.

NordVPN is concerned that attacks may bleed into the real world as well. The vast amount of information that hackers are able to collect through Oculus headsets says a lot about users’ daily habits, their exact location, and even the interior of their homes. Given the availability of this information, the threat of robbery or physical harm exists.

“If your virtual reality device gets hacked, you can sometimes notice the change immediately,” said Daniel Markuson. “After all, the attacker has complete access to what you see and hear. They can modify this virtual world however they want.”

Before giving a headset to a child, NordVPN suggests that parents read the privacy policies at length, although few consumers actually ever do so. Instructing children to create anonymous nicknames on VR multiplayer games and to keep their personal information to themselves is another helpful tip.

Not surprisingly, NordVPN’s last suggestion involves installing a VPN service.