[ad_1]
With the advent of commercially available virtual reality headsets, such as the Meta Quest, the integration of virtual and augmented reality into our daily lives feels closer than ever before. As these devices become more common, so too will the need to secure and protect the data collected and stored by them.
The intention of this blog post is to establish a baseline security testing environment for Meta Quest 2 applications and is split into three sections: Enabling Developer Mode, Establishing an Intercepting Proxy, and Injecting Frida Gadget. The Quest 2 runs on a modified version of the Android Open Source Project (AOSP) in addition to proprietary software developed by Meta, allowing the adoption of many established Android testing methods.
Enabling Developer Mode
The first step of setting up a security testing environment on the Quest is to enable developer mode. This allows users to connect to the headset via Android Debug Bridge (ADB) and provides programmatic access to the device’s file system.
A Meta account registered as an administrator of a Meta organization is prerequisite for enabling developer mode on the Quest 2. See the list below for links to the relevant Meta services for account and organization registration and verification.
Once the account is fully verified as an administrator, follow these steps to put the headset into developer mode:
- On the headset or Meta Quest Mobile app, sign into the developer account.
- Open Settings, then go to System > Developer and enable USB debugging.
- Connect the headset to your computer, then put on the headset.
- There should be a prompt asking to allow USB debugging, with the option to always allow from this computer.
Note: If the pop up is gone, check the notifications menu (the bell icon next to the time on the menu bar). Sometimes permission may need to be given again, even if the ‘Always allow’ button was checked previously. If there are problems with ADB, check the notifications on the headset to see if it’s asking to allow connections from the computer.
Setting Up an Intercepting Proxy
An important part of application security testing is analyzing data sent to and from the application and its server. To view data in transit, an intercepting proxy must be configured for the device. Typically, this involves having root access to the device; however, there is currently no publicly available method for gaining root access to the Quest. In lieu of the traditional root access method, a VPN tunnel will be used.
Setup Kali VM
Start a Kali Linux virtual machine using virtualization software (such as VirtualBox or UTM), making sure that it is in bridged mode. Bridged mode puts the device in the same network position as your host, instead of hidden inside it. This allows other devices on the same network, such as the Quest 2, to reach it.
Setup OpenVPN Service on Kali
Use the following script to set up the OpenVPN service on the Kali virtual machine:
wget https://git.io/vpn -O openvpn-install.sh
sed -i "$(($(grep -ni "debian is too old" openvpn-install.sh | cut -d : -f 1)+1))d" ./openvpn-install.sh
chmod +x openvpn-install.sh
sudo ./openvpn-install.sh
The first prompt will ask for the IP address to be used for the VPN; be sure to use the IP address of the Kali machine on the local network, for example 192.168.0.160. The rest of the prompts may be left to their default settings.
On completion, the script will output a .ovpn configuration file stored in the /root directory, which will need to be copied onto the headset. It can be downloaded on the headset using the browser by hosting the file on an HTTP server from the Kali machine. Move or copy it to a safe location and use Python to host an HTTP server: python3 -m http.sever. Note that this command opens the server on port 8000 by default.
Download and Install OpenVPN on Quest
OpenVPN is not currently available on the Meta Quest Store; however, it is possible to obtain a copy of it from other sites, such as Uptodown or F-Droid.
Once the APK has finished downloading, use ADB to install it: adb install openvpn-connect.apk
Opening OpenVPN Connect on Quest
Apps installed via ADB can be found in the ‘Unknown Sources’ section of the list of applications and are conveniently not listed in the All Applications list.
Note: If OpenVPN is stuck at the splash screen, try killing the process with adb shell am force-stop net.openvpn.openvpn. If that still doesn’t fix it, reinstalling it usually does the trick.
Downloading the Configuration File
Now that OpenVPN is installed and (hopefully) working, it’s time to import the .ovpn file created earlier. On the quest, open the browser and navigate to the Kali host’s IP address at port 8000 (for example: http://192.168.0.3:8000). Click on the .ovpn file to download it, which should open OpenVPN with a prompt to import the profile. If OpenVPN does not automatically open, navigate to the Download folder in the Quest’s file system and open it from there. Once the profile is installed, connect to the Kali VPN tunnel.
Alternatively, the configuration file can be pushed directly to the device with adb if the Kali machine is able to interact with the headset directly.
adb push client.ovpn /sdcard/Download/
Use iptables to Route VPN Traffic to Burp
At this point the VPN tunnel is almost complete, all that is left is to route traffic from the VPN to burp. There are two options:
- Route the traffic to your host.
- Capture traffic directly in the Kali VM
Note: iptables rules are not persistent, meaning these commands will need to be re-run each time the Kali machine restarts.
Route Traffic to the Host
Use iptables to redirect traffic from the VPN (tun0) to Burp’s location on the host (192.168.0.2:8080) using DNAT. The MASQUERADE rules are used to route traffic back to its source. Note that the commands need to be run as root.
sudo iptables -A PREROUTING -t nat -i tun0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:8080
sudo iptables -A PREROUTING -t nat -i tun0 -p tcp --dport 443 -j DNAT --to-destination 192.168.0.2:8080
sudo iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADERoute Traffic to the VM
Use iptables to redirect traffic from the VPN (tun0) to port 8080.
sudo iptables -A PREROUTING -t nat -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -A PREROUTING -t nat -i tun0 -p tcp --dport 443 -j REDIRECT --to-port 8080Injecting Frida Gadget with Objection
Now that programmatic access and an intercepting proxy have been established, the last step is to set up dynamic instrumentation with Frida. This provides a means for injecting custom scripts into the application to analyze and manipulate its behavior during runtime. In a standard Android security test, Frida server could be pushed onto the device and run as root; however, without root access, Frida Gadget must be used instead. To simplify the patching process, the Objection framework will be used.
More information about Frida and Objection can be found here:
Pull APK from Device
The first step to injecting Frida Gadget into the APK is to locate the APK file on the device and pull it to the host using adb. Take note of the package name (com.app.name) in addition to its path, as this will be needed later. Notably, application binaries are stored in the /data/app/ directory in Android. Meta Horizon World will be used as an example.
Locate the application binary:
adb shell pm list packages -f | grep 'horizon'
Pull the application binary to the host:
adb pull /data/app/~~ouwQTF17g8xKG5swSHqUUw==/com.facebook.horizon-2glm3BljDrGS8YX8I9l-uA==/base.apkPatch APK with Objection
Next, patch the APK using objection’s patchapk function.
objection patchapk -s base.apkInstall Patched APK on device
Once objection has completed its process, there should be a base.objection.apk in the current directory. Uninstall the current version of the application using its package name from the first step, then install the patched APK.
adb uninstall com.facebook.horizon
adb install base.objection.apkUsing Objection
To interact with the application using the Objection CLI, open the app on the device and run objection explore on the host. Note that the app will hang at its loading screen until it connects with the debugger from Objection.
The Objection CLI streamlines the exploitation process, allowing for more time experimenting and less time writing exploits. For example: instead of writing a Frida script to bypass SSL pinning, simply run android sslpinning disable to disable SSL pinning for the target application.
Other notable features of the Objection CLI include:
- Disabling root detection
- Searching and dumping memory
- Interacting with SQLite databases
- Exploring the filesystem
- Manipulating Android methods and intents
- Viewing the Android keystore
- And so much more…
Looking Ahead
With objection set up and an intercepting proxy running, the environment setup is complete! Now it’s time to start looking for vulnerabilities such as broken access controls, insecure data storage, hardcoded credentials, and intent redirection.
With extended reality on the rise, it may only be a matter of time until there is a device in every home. As with all new technologies, security will play a major role in guiding its development. Stay ahead of the curve and book a consultation today!
[ad_2]
Source link
About the author
Defend the Airport
[ad_1] Every day, millions of passengers depend on a vast, complex airport ecosystem to get from Point A to Point B. From airline check-ins and baggage handling to air traffic control and terminal operations, the aviation sector is an intricate web of interconnected third-party providers, technologies, and stakeholders. In this high-stakes environment, a cybersecurity breach is not a single point of failure, it’s a ripple effect waiting to happen. Cyber Threats Aren’t Just IT Problems – They’re Operational Crises When people think about airport cybersecurity, they often picture network firewalls at airline headquarters or secure software for booking systems. But the real threat landscape is far broader and far more vulnerable. If a catering supplier is hit with ransomware, the aircraft turnaround slows. If the baggage conveyor system is compromised, luggage piles up, delaying departures. If the security contractor experiences […]
Securing LLMs Against Prompt Injection Attacks
[ad_1] Introduction Large Language Models (LLMs) have rapidly become integral to applications, but they come with some very interesting security pitfalls. Chief among these is prompt injection, where cleverly crafted inputs make an LLM bypass its instructions or leak secrets. Prompt injection in fact is so wildly popular that, OWASP now ranks prompt injection as the #1 AI security risk for modern LLM applications as shown in their OWASP GenAI top 10. We’ve provided a higher-level overview about Prompt Injection in our other blog, so in this one we’ll focus on the concept with the technical audience in mind. Here we’ll explore how LLMs can be vulnerable at the architectural level and the sophisticated ways attackers exploit them. We’ll also examine effective defenses, from system prompt design to “sandwich” prompting techniques. We’ll also discuss a few tools that can help […]
LLM Prompt Injection – What’s the Business Risk, and What to Do About It
[ad_1] The rise of generative AI offers incredible opportunities for businesses. Large Language Models can automate customer service, generate insightful analytics, and accelerate content creation. But alongside these benefits comes a new category of security risk that business leaders must understand: Prompt Injection Attacks. In simple terms, a prompt injection is when someone feeds an AI model malicious or deceptive input that causes it to behave in an unintended, and often harmful way. This isn’t just a technical glitch, it’s a serious threat that can lead to brand embarrassment, data leaks, or compliance violations if not addressed. As organizations rush to adopt AI capabilities, ensuring the security of those AI systems is now a board-level concern. In this post we’ll provide a high-level overview of prompt injection risks, why they matter to your business, and how Security Innovation’s GenAI Penetration […]
Setting Up a Pentesting Environment for the Meta Quest 2
[ad_1] With the advent of commercially available virtual reality headsets, such as the Meta Quest, the integration of virtual and augmented reality into our daily lives feels closer than ever before. As these devices become more common, so too will the need to secure and protect the data collected and stored by them. The intention of this blog post is to establish a baseline security testing environment for Meta Quest 2 applications and is split into three sections: Enabling Developer Mode, Establishing an Intercepting Proxy, and Injecting Frida Gadget. The Quest 2 runs on a modified version of the Android Open Source Project (AOSP) in addition to proprietary software developed by Meta, allowing the adoption of many established Android testing methods. Enabling Developer Mode The first step of setting up a security testing environment on the Quest is to […]
Earn the US Cyber Trust Mark and Unlock New IoT Growth Opportunities
[ad_1] As an IoT product manufacturer, building consumer trust in the security of your connected devices is critical for driving sales and staying competitive. Fortunately, the Federal Communications Commission (FCC) has introduced a new program to help - the US Cyber Trust Mark. The Cyber Trust Mark is a new voluntary labeling program that is obtained by demonstrating the cybersecurity of your IoT products. By earning this seal of approval, you can demonstrate to your customers that your devices meet rigorous security standards and can be trusted to protect their personal data and connected home. Retailers like Best Buy and Amazon will be collaborating with the FCC to educate consumers on this new program and increase public demand for the Cyber Trust Mark. But achieving the Cyber Trust Mark isn't a simple process. That's where Security Innovation, a Bureau Veritas […]
The Value of OT Penetration Testing
[ad_1] With the increasing cyber threats targeting operational technology (OT) environments, it's more important than ever to proactively assess and strengthen the security of your Industrial Control Systems (ICS). One of the most effective ways to do this is through an OT penetration test. What is an OT Penetration Test? An OT penetration test is a comprehensive security assessment that simulates real-world cyber-attacks against your ICS environment. Experienced security professionals, with deep expertise in both IT and OT systems, will attempt to gain unauthorized access and exploit vulnerabilities within your industrial control networks and devices. The team will provide you with a realistic understanding of your ICS security posture and the potential impact of a successful attack. The Benefits of OT Penetration Testing Uncover Hidden Vulnerabilities: Pen testers will identify vulnerabilities and misconfigurations that may have been overlooked by traditional […]
Related
Defend the Airport
[ad_1] Every day, millions of passengers depend on a vast, complex airport ecosystem to get from Point A to Point B. From airline check-ins and baggage handling to air traffic control and terminal operations, the aviation sector is an intricate web of interconnected third-party providers, technologies, and stakeholders. In this high-stakes environment, a cybersecurity breach is not a single point of failure, it’s a ripple effect waiting to happen. Cyber Threats Aren’t Just IT Problems – They’re Operational Crises When people think about airport cybersecurity, they often picture network firewalls at airline headquarters or secure software for booking systems. But the real threat landscape is far broader and far more vulnerable. If a catering supplier is hit with ransomware, the aircraft turnaround slows. If the baggage conveyor system is compromised, luggage piles up, delaying departures. If the security contractor experiences […]
Securing LLMs Against Prompt Injection Attacks
[ad_1] Introduction Large Language Models (LLMs) have rapidly become integral to applications, but they come with some very interesting security pitfalls. Chief among these is prompt injection, where cleverly crafted inputs make an LLM bypass its instructions or leak secrets. Prompt injection in fact is so wildly popular that, OWASP now ranks prompt injection as the #1 AI security risk for modern LLM applications as shown in their OWASP GenAI top 10. We’ve provided a higher-level overview about Prompt Injection in our other blog, so in this one we’ll focus on the concept with the technical audience in mind. Here we’ll explore how LLMs can be vulnerable at the architectural level and the sophisticated ways attackers exploit them. We’ll also examine effective defenses, from system prompt design to “sandwich” prompting techniques. We’ll also discuss a few tools that can help […]
LLM Prompt Injection – What’s the Business Risk, and What to Do About It
[ad_1] The rise of generative AI offers incredible opportunities for businesses. Large Language Models can automate customer service, generate insightful analytics, and accelerate content creation. But alongside these benefits comes a new category of security risk that business leaders must understand: Prompt Injection Attacks. In simple terms, a prompt injection is when someone feeds an AI model malicious or deceptive input that causes it to behave in an unintended, and often harmful way. This isn’t just a technical glitch, it’s a serious threat that can lead to brand embarrassment, data leaks, or compliance violations if not addressed. As organizations rush to adopt AI capabilities, ensuring the security of those AI systems is now a board-level concern. In this post we’ll provide a high-level overview of prompt injection risks, why they matter to your business, and how Security Innovation’s GenAI Penetration […]
Kiren Rijiju: Why Earth Sciences minister Rijiju is upset with this European IT company |
[ad_1] Earth Sciences Minister Kiren Rijiju is reportedly upset with the French IT company Atos. Reason is said to be delay in the delivery of two supercomputers by the French company to Indian weather forecasting institutes. According to a report in news agency PTI, the Earth Sciences Ministry had ordered two supercomputers worth $100 million from French firm Eviden, of the Atos Group, last year to enhance the computing capabilities of its institutions -- the National Centre for Medium Range Weather Forecasting (NCMRWF) and the Indian Institute of Tropical Meteorology (IITM)."I am more upset because the target we set was December. The Union Cabinet had already approved purchasing the supercomputer. We have only four petaflop capacity. We want to install up to 18 petaflop capacity," Rijiju told PTI in a video interview.He said that the French company ran into some […]
Former Activision boss reportedly wants to buy TikTok
[ad_1] Bobby Kotick, the former head of Activision Blizzard, is reportedly considering buying TikTok, as the app could be banned in the United States. The Wall Street Journal reports that Kotick has talked to ByteDance, the company that owns TikTok, about buying the app, which could cost hundreds of billions of dollars.This comes as US lawmakers introduce a new bill that would make ByteDance sell TikTok within six months or stop it from being available in US app stores.President Joe Biden has said he would approve the bill if it passes in Congress.The Wall Street Journal report adds that Kotick, the head of OpenAI, Sam Altman, discussed teaming up to buy TikTok at a dinner last week. Kotick's interest in TikTok follows a rough end to his 30 years leading Activision Blizzard, which Microsoft acquired last year. The company faced […]
How Apple’s Find My app ‘cost’ a US city millions of dollars
[ad_1] Apple's Find My app has cost the city of Denver, US $3.76 million in compensation and damages. In 2022, the city’s police wrongly raided and ransacked an elderly woman's home looking for a stolen truck and guns. According to a report by CNN, Denver police were seeking to recover a stolen truck loaded with guns, ammo and cash. For this, the police used Apple's Find My technology on another iPhone to locate the vehicle.However, the police picked the wrong house out of a fairly wide area to storm in and catch the thieves. Due to this misplaced raid, 78-year-old Ruby Johnson filed a lawsuit against the police. As compensation, the city will be paying Johnson a $3.76 million award. Moreover, the defendant officers — Detective Gary Staab and Sgt. Gregory Buschy — were also sued as an individual. Denver […]
Be the first to leave a comment