Privacy Implications of Standalone VR

In recent weeks, I started analyzing the network traffic generated by popular standalone Virtual Reality headsets. This research aims to understand what data is being sent back to the manufacturer when the device is seemingly idle.

Intercepting Traffic

To intercept the traffic, I configured the headset to use a proxy server running Burp Suite. This required installing a custom Root CA on the device to decrypt HTTPS traffic.

Note: This process usually requires putting the headset into developer mode and using adb to push the certificate.

Initial Findings

The telemetry endpoints are surprisingly active even when no apps are running. Some of the data points collected include:

• Head Movement Data: Reduced-fidelity snapshots of IMU data.
• Environment Geometry: Basic metrics about the play boundary and recognized generic objects (like desks or couches).
• Application Usage: Timestamps of when specific applications are launched and closed.

Next Steps

The next phase of this research will involve attempting to modify the telemetry requests to see how the backend systems respond to malformed or unexpected data structures.

Stay tuned for more updates!