| Recurring |
one_organization |
(a) The software failure incident related to virtual reality systems being vulnerable to attacks has happened again at Oculus, a unit of Facebook. The researchers from the University of New Haven found vulnerabilities in the Oculus Rift system, which could be exploited by attackers to alter what a person sees in VR [70156].
(b) The software failure incident related to virtual reality systems being vulnerable to attacks has not been explicitly mentioned to have happened again at other organizations or with their products and services in the provided articles. |
| Phase (Design/Operation) |
design |
(a) The software failure incident related to the design phase can be seen in the research conducted by the University of New Haven on virtual reality systems like the HTC Vive and Oculus Rift [70156]. The researchers found that the VR systems lacked protection against attacks that could alter what a person sees in VR, highlighting a design flaw in the systems' security measures. The attack tests were conducted to assess the integrity of the VR system and revealed that the software on the Oculus Rift and HTC Vive relied heavily on the security of the operating system and the user, indicating a lack of robust security measures built into the design of the systems.
(b) The software failure incident related to the operation phase is evident in the vulnerability discovered by the researchers in the OpenVR software development kit used by both Oculus and HTC when playing games on the Steam platform [70156]. The attack tests conducted by the research team focused on testing the VR system's integrity and did not take into account antivirus software and other protections already in place on a user's computer, highlighting a potential operational weakness in how the VR systems interact with existing security measures during gameplay. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) The software failure incident related to the boundary of the VR systems falls under the category of within_system failure. The researchers from the University of New Haven were able to alter what a person could see in VR on the Oculus Rift and the Vive by infecting a computer through malware attached to an email [70156]. They found that the systems include no protection to stop these kinds of attacks and that the attack tests were all done through OpenVR, a software development kit developed by Valve, used by both Oculus and HTC when playing games on the Steam platform. The unencrypted access included crucial elements on the software such as the systems' wall boundaries, the camera, and the screen's display, allowing attackers to manipulate the virtual boundaries on the VR display [70156]. |
| Nature (Human/Non-human) |
non-human_actions |
(a) The software failure incident occurring due to non-human actions:
The software failure incident reported in the articles is related to a vulnerability in virtual reality systems like the HTC Vive and Oculus Rift that could be exploited by attackers to alter what a person sees in VR. The researchers from the University of New Haven found that in a controlled attack, they were able to manipulate the VR display through OpenVR, a software development kit developed by Valve, used by both Oculus and HTC when playing games on the Steam platform. This vulnerability was not due to human actions but rather a lack of security measures within the VR systems themselves [70156].
(b) The software failure incident occurring due to human actions:
The software failure incident discussed in the articles was not caused by human actions but rather by the lack of security measures within the virtual reality systems themselves. The researchers infected a computer with malware to test the security of the Oculus Rift and HTC Vive systems, revealing that these systems were not adequately protected against such attacks. The vulnerability exploited by the researchers was a result of the systems' reliance on the security of the operating system and the user, rather than any specific human actions introducing the failure [70156]. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident related to hardware:
The incident reported in the article [70156] highlights a software failure incident that could potentially lead to real-world consequences due to a vulnerability in virtual reality systems like the HTC Vive and Oculus Rift. The researchers from the University of New Haven were able to alter what a person could see in VR on these systems, indicating a potential hardware-related failure in the design or implementation of the VR hardware itself. The vulnerability allowed attackers to manipulate the virtual environment, potentially causing users to collide with physical objects in the real world, such as walls, due to altered visual cues within the VR experience.
(b) The software failure incident related to software:
The same incident reported in article [70156] also sheds light on a software failure aspect of the virtual reality systems. The researchers found that the systems, particularly when using OpenVR software development kit developed by Valve, lacked adequate protection mechanisms to prevent unauthorized alterations to the VR environment. This software vulnerability allowed attackers to manipulate the virtual boundaries and visual displays within the VR systems, showcasing a software-related failure in ensuring the integrity and security of the VR software components. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident described in the articles is malicious in nature. Researchers from the University of New Haven conducted controlled attacks on virtual reality systems like the Oculus Rift and HTC Vive to alter what a person could see in VR, highlighting the potential dangers of virtual reality [70156]. The attack tests were done through OpenVR, a software development kit developed by Valve, and the researchers found crucial elements on the software that were not encrypted, allowing them unencrypted access to the systems' wall boundaries, camera, and display [70156]. This malicious attack could lead to real-world consequences as players are deeply immersed in the VR gameplay, potentially causing harm by manipulating their virtual environment [70156]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The intent of the software failure incident:
The software failure incident described in the articles can be attributed to poor decisions. The researchers from the University of New Haven conducted controlled attacks on virtual reality systems like the Oculus Rift and HTC Vive to demonstrate the vulnerabilities in the systems. They found that the VR systems lacked protection against attacks that could alter what a person sees in VR, potentially leading to dangerous real-world consequences. The researchers infected a computer with malware to test the security of the VR systems and highlighted the lack of security measures in place. Additionally, they pointed out that crucial elements in the software were not encrypted, leaving the systems vulnerable to manipulation [70156]. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident related to development incompetence is evident in the research conducted by the University of New Haven on virtual reality systems like the Oculus Rift and HTC Vive [70156]. The researchers found that these systems lacked protection against attacks that could alter what a person sees in VR, highlighting a lack of security measures in the development of the software. The attack tests were conducted through OpenVR, a software development kit developed by Valve, used by both Oculus and HTC, indicating a vulnerability in the software development process.
(b) The software failure incident related to accidental factors is demonstrated by the unencrypted access discovered by the researchers on the VR systems, including wall boundaries, the camera, and the screen's display [70156]. This lack of encryption was a crucial oversight that could potentially lead to unintended consequences, such as altering virtual boundaries and causing players to collide with physical objects in the real world. The researchers also highlighted the potential real-world harm that could result from such attacks, indicating accidental vulnerabilities in the software design. |
| Duration |
permanent, temporary |
The software failure incident described in the articles can be categorized as both temporary and permanent.
Temporary: The researchers from the University of New Haven were able to alter what a person could see in VR on the Oculus Rift and the Vive in a controlled attack, indicating a temporary failure due to specific circumstances introduced by the attack [70156].
Permanent: The lack of protection in the VR systems to stop such attacks, the unencrypted access to crucial elements like wall boundaries, camera, and display, and the potential real-world consequences of such attacks suggest a permanent failure due to contributing factors introduced by all circumstances [70156]. |
| Behaviour |
value, other |
(a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and stops performing its intended functions. Instead, the incident involves a security vulnerability in virtual reality systems like the Oculus Rift and HTC Vive that allows attackers to manipulate what users see in the virtual environment [70156].
(b) omission: The incident does not involve the system omitting to perform its intended functions at an instance(s). It is more focused on the manipulation of the virtual reality environment by attackers due to a lack of security measures in place [70156].
(c) timing: The failure is not related to the system performing its intended functions too late or too early. It is primarily about the vulnerability in the virtual reality systems that allows attackers to alter the user's perception in the virtual environment [70156].
(d) value: The software failure incident is related to the system performing its intended functions incorrectly. In this case, attackers can manipulate what users see in the virtual reality environment, potentially leading to real-world consequences as users are deeply immersed in the VR experience [70156].
(e) byzantine: The incident does not involve the system behaving with inconsistent responses and interactions, which would fall under the byzantine failure category. Instead, it is about the security vulnerability that allows attackers to change the visual perception of users in the virtual reality environment [70156].
(f) other: The behavior of the software failure incident can be categorized as a security vulnerability that allows attackers to alter what users see in the virtual reality environment, potentially leading to dangerous real-world consequences. This behavior is not explicitly covered by the options (a) to (e) and can be considered a form of security breach or manipulation of the system's visual output [70156]. |