Oculus Sensors Are Technically Hackable Webcams

by Joe Durbin • January 27th, 2017

Oliver Kreylos is a researcher at UC Davis focusing primarily on virtual and augmented realities. He is known as something of a sleuth in the industry and was one of the first people to determine the actual field of view of the HoloLens before Microsoft released the official specs. More recently, Kreylos has been digging into the Oculus Rift Sensor and its ability to function as a basic webcam.

The right side of the above image was pulled by Kreylos from one of his Oculus Sensors. These “Sensors” are essentially cameras used to track the position of the Rift and Touch controllers in three dimensional space by picking up the imperceptible glow of infrared lights all over the headset and controllers. What Kreylos demonstrated, however, is that with a bit of informed tinkering, one can actually pull a recognizable image from the Oculus Sensor as if it was a low resolution black and white camera.

How is This Possible?

According to Kreylos, the combination of some basic Linux know-how and a general understanding of the way a computer works is all it takes to pull an image from his Oculus Sensor.

In an email written to UploadVR, he explains::

Oculus decided to hide the fact that the Rift ‘sensor’ is a bog-standard webcam. Normally, when you plug a webcam into a USB port, the camera announces itself as a device in the USB video class (uvc), and the host PC then loads the standard uvc camera driver, and the camera works plug&play.

The Rift camera is still a uvc camera, but in the USB descriptor that’s sent to the host when it’s plugged in, the byte that should say ‘video class’ says ‘vendor-specific class.’ That’s why it doesn’t show up as a camera when you plug it into a PC without Oculus’ driver software installed.

To make it work, I had to patch the Linux kernel’s uvc camera driver. When the driver sees the USB vendor and product ID that match the Rift camera, it ignores the class type that’s in the USB descriptor, and starts treating it as a uvc camera. And because it actually is one, from that point on it works.”

Essentially what this means is that Oculus told the Sensor not to announce itself to the Windows operating system as a camera. If it did, Windows might automatically pull up its standard webcam drivers, which is not what Oculus wants. Instead, there’s a custom driver they want Windows to use to interface with the Sensor so that it functions only in tandem with the Rift. Kreylos describes this as a layer of “obfuscation” and says it is one of a few that Oculus employs to keep what is, in essence, a camera from behaving like one.

According to Kreylos:

“I then noticed that Oculus added a second layer of obfuscation. The camera’s real video image format is greyscale, with 8 bits per pixel. In uvc, image formats are selected by four-character so-called fourcc values. The fourcc for greyscale is ‘Y8’ or ‘GREY’, but the Rift camera’s firmware lies and sends ‘YUYV’, which is an interleaved 16-bit color format that’s used by most webcams. The firmware makes up for the fact that the pixels are twice as big by lying about the camera resolution. For example, instead of advertising 1280×960 Y8, it advertises 640×960 YUYV. That way, the actual raw image data has the same overall layout (1280 bytes per image row).”

This is a detailed way of saying that even if you can pull a still from your Oculus camera, there are still adjustments required in order to deliver a coherent picture. The Rift Sensor is only meant to capture one thing: the infrared trackers. In fact, the Oculus Sensors include a physical filter to remove visible light since that is “just noise, making it harder for it to operate,” as iFixit wrote in its teardown of the hardware.

However, just because this is what the Sensors were designed to do does not mean that an enterprising mind cannot use the hardware to produce something recognizable. It may not even be that difficult. According to Kreylos, “To get the real picture, I had to nothing but ignore the advertised fake video format, and treat the incoming raw data as the actual format.”

So…is Facebook Spying on Me? 

Oculus-Facebook-Logo

The Oculus Sensor is designed to capture a specially formatted set of coordinates and immediately discard any visual data, with Facebook telling us “we do not store any frames captured by the sensor, so there is no way for someone to access this information from our server.” While it was designed with a very specific usage in mind — to track the headset and controllers — it is nonetheless technically possible for a hacker who has gained access to your PC to use the hardware to spy just like any other webcam.

Kreylos:

“My point is that Oculus’ driver doesn’t retain or store camera images. They get consumed and then destroyed immediately after arriving over USB, and only the extracted (x, y) LED positions survive and get fed into the pose estimation algorithm.

Now, it is conceivable that the driver could retain images anyway, and even send them up to Facebook headquarters for analysis. But that’s tinfoil hat territory. The potential payoff would be minimal (better ad targeting?), but the potential risk — if this were to come out, and it would sooner or later — is enormous. Not just from a PR disaster perspective, but from the point of severe legal repercussions. So no, they’re not doing that”.

Oculus is adamant on this point as well:

“The Rift Sensor doesn’t operate like a typical camera. We’ve specifically designed this sensor to detect infrared signals on the Rift and Touch controllers. This is how we make sure the experience in VR mirrors how a person is moving in real life. Frames captured by the sensor are processed to reduce things in the background so our infrared signals are clearly highlighted. Then, we immediately discard the frames. The sensor isn’t connected directly to the internet and we do not store any frames captured by the sensor, so there is no way for someone to access this information from our servers.”

What Should I Do?

screen-shot-2017-01-27-at-7-55-45-am

Despite its intended purpose, Kreylos shows the Rift sensor can capture a recognizable image of anything or anyone in front of it. This does mean that the device is vulnerable to hackers and malware. As Kreylos puts it, “What might be an actual potential worry is other, non-Facebook actors, turning the cameras into spy cameras via malware. I could actually see that happening at some point.”

Facebook agrees on that point, stating, “Like other Windows or USB peripherals, the Sensor could be accessed if a person’s PC is compromised.”

The message here is that your Oculus Rift Sensor is perfectly capable of transmitting images of you and your home to any hacker or agency skilled enough to overcome Windows security or any extra security you may have installed on your PC. Until we hear otherwise, we believe the Oculus Sensor to be no more or less vulnerable than your PC as a whole.

It is important, therefore, for any user of an Oculus Rift to be aware that a potential for invasion does exist with their Sensors, and to take whatever steps he or she deems appropriate for protection.

To put this all very simply, if you are the type of person that feels a Post-It Note or tape over the webcam on your laptop is an important security precaution, you should probably cover the Oculus Sensor as well.

Clarification: A section above discussing Facebook’s intended use of the sensor was updated with a clearer description.

Tagged with: , , , , , , , , ,

  • Paulo

    Slow news week eh UploadVR?

    “USB connection is not safe from hackers!”, this in at 10.

    If the fact that these can be hacked to produce a visible image has shocked you, please inform yourself of how the hardware actually works. This has been done since DK1.

    • Ian Hamilton

      Not many people who buy a consumer product are aware how the hardware actually works.

      • koenshaku

        Many people are aware how facebook works though, since people their cameras is their business after all lol.

    • UE

      Uh…. the camera with the DK1 was hacked… interesting.

      I want to meet the person who rose to that challenge.

      • Paulo

        I edited my comment before you wrote that, typo on my end. The dk1 had no positional tracking.

        • Dirk Bowler

          No you didn’t. I was watching. You changed it after his post.

          • Paulo

            You’ve been watching for three hours? Troll harder Dirk. You can believe that if it helps you feel better.

  • UE

    Ah just want to point out.
    Sensor is a more accurate term than camera for what it does and how it operates. Please remember that all digital cameras work because of sensors.

    It isn’t just some marketing speak or intended deception, it just most accurately describes the camera.

    On top of that it is designed on a hardware level to have the light turn on whenever it is active for any reason. Worth mentioning.

  • NooYawker

    Good for Facebook, but seriously, Is this possible with HTCs light houses as well? I means there’s an actual camera on the vive headset. Can it be hacked as easily as a webcam?

    • Paulo

      Yes it can, and technically its easier. No driver hacking needed!

      This article is just for clicks, its easy to do that writing something about negative Oculus.

      • koenshaku

        While that is true the Vive camera will not be about to see your head since you are in fact wearing it..

        • Paulo

          im pretty sure the hmd spends considerably more time off your head than on.

      • towblerone

        Fanboy.

    • harry1w

      Not the light houses, all they do is emit a sweeping line of IR light which the headset uses to work out it’s location.

      The camera on the headset, probably they’re not hiding the fact it’s a camera

  • 1droidfan

    LOL, all you VR P0rn fans the NSA has vids of you fapping!

    • koenshaku

      Not really I fap with Vive only..

      • Deppchef

        remember there is a front cam on the Vive. so they could have several closeups of your dick by now 😉

        • 1droidfan

          In his case it would need a telephoto lens, LOL!

        • koenshaku

          fappers take pride in sharing their fapping anonymously that is like a perk lol.

  • OkinKun

    You’re try to create controversy over nothing. The cameras can’t be accessed without your knowledge, as the LED would turn on, camera function is hardwired to that LED.

    • koenshaku

      Is it though if it is hacked? Is it?

  • koenshaku

    I wonder if all the cameras could produce reverse 360 degree VR porn lol.

  • So, Zuckerberg is watching me while i watch VirtualRealPorn videos? So naughty…

    DocOk took to recompile the kernel and do strange stuff to get images of this sensors, so I think that it is quite a strange way to take for a hacker. Unless you’re the president of US, I don’t know why a hacker should bother do all that work. Far easier to exploit some standard webcam we all already have in our systems.

    Kudos to him, anyway. A great great job, as always. I admire that guy

  • Impressive! If you let someone sit at your machine for a bit and let them install Linux on it, they can use a camera as an actual camera! BE AWARE! STAY VIGILANT!

  • James Coady

    I like the way the “journalist” pretty much transcribed the entire article except they part where it talks about the physical led notification light that shows when the camera is on. A fail safe that can’t be broken in code.

    Poor show uploadvr, this click bait article is really making me question the ligitamacy of your site.

  • jimrp

    Well then i guess i need to get naked and shack my junk at the hackers.

  • Douglas

    This is right up there with the Kinect in my opinion. Are they using it to spy? No. Can it be used? Yes but no doubt they will tell you no just like Microsoft did before it was leaked that the GCHQ was using it to spy on people. This is the kind of stuff you open yourself up to when you buy hardware from Facebook.

    By the way, nice “sensor”. Real hi tech stuff. I mean you totally fooled everyone by putting a tinted piece of plastic over the end.

  • Mike

    If a hacker has managed to get on your computer, reconfigure your USB, install your Oculus Sensor as a webcam (I’m going to guess this also stops the sensor operating as intended?) just so they can see some grainy black and white image, you probably have more to worry about than your sensor.

    Hackers with some malicious intent generally go after a large market with users who are ill informed. They are unlikely to target a small market where its main user base is mostly tech savvy. They would have more success with a “You are the 1,000,000 Oculus user, Congratulations. enter your credit card information and we will send you a for a full refund on your Oculus”

    • hogscraper

      lol I was thinking something like that when I first loaded up the Oculus store and it wouldn’t use the store credit I had until I added a credit card.

  • reality

    HAHA just play games in offline mode!
    by vrwatchman .com

  • Graham J ⭐️

    So does Zuck put sticky notes over his Rift cams too? 😄