Study: AR/VR Use Can Be Inferred via GPU Data
A new research preprint details how user activity in AR/VR environments can be inferred through "side-channel" GPU profiling, even when data sharing is restricted. The study shows that third parties could potentially deduce sensitive behaviors and locations by analyzing GPU usage patterns. This highlights a potential data leakage vector that is often outside the scope of standard privacy controls.
This type of side-channel attack builds on previous methods that have successfully inferred sensitive user data from AR/VR headsets. Past research has shown it's possible to steal information like passwords and credit card numbers communicated via voice commands by analyzing subtle, speech-associated facial movements recorded by the headset's motion sensors. Other proven attacks can recover hand gestures, voice commands, and keystrokes on a virtual keyboard with over 90% accuracy by exploiting performance counters in the rendering engine. The OVRWatcher attack detailed in the study can fingerprint standalone AR/VR and WebXR applications with over 99% accuracy. It works by monitoring low-resolution (1Hz) GPU usage through a background script, which differs from prior methods that required high-resolution profiling tools. This allows the attack to identify not just the app being used, but also specific interactions within it, like which products a user selects in a shopping app or how many people are in a virtual meeting. GPU side-channel attacks are not new and exploit unintended information leakage from hardware operations. Common methods include cache-based attacks like "Flush+Reload" and "Prime+Probe," which monitor memory access patterns to infer data. Because multiple processes often share the same GPU, an attacker can run code on the same hardware to observe execution patterns and memory access times, potentially revealing cryptographic keys or user inputs. The vast amount of data collected by AR/VR devices—from biometric information like eye movement and facial expressions to behavioral patterns—creates significant privacy risks. This sensitive data can be used to create unique "biometric signatures" that could identify users even when they are using anonymous avatars. Regulatory frameworks like GDPR and CCPA have started to address biometric data collection, but the unique nature of immersive technologies presents new challenges. Mitigating these GPU-based threats involves several strategies, though none are foolproof. Techniques include strong workload isolation to prevent sensitive and non-sensitive tasks from running on the same GPU, as well as introducing randomized "noise" into operations to make timing-based attacks more difficult. At the hardware level, countermeasures can involve designing circuits to reduce physical information leakage and balancing power consumption to obscure correlations with logical operations. The current regulatory landscape for AR/VR privacy is often described as a patchwork of state and national policies that can leave critical gaps. Organizations like the Future of Privacy Forum (FPF) recommend that developers process as much sensitive data as possible locally on the device and ensure it is encrypted both in transit and at rest. As these technologies become more integrated into sectors like healthcare and finance, the need for robust, harmonized privacy legislation becomes more urgent.
