If you have a Oculus Rift virtual reality headset, there’s a good chance you’re a little bummed right now because you can’t terrify yourself with the recently released Resident Evil 7, which is exclusive to PlayStation VR. But if you need a fright, consider this—someone could be watching you right now through your Oculus’ sensors, which are a little more than repurposed webcams.
That much has been known for a while, but attempts to get images from them have been shoddy at best as the sensors chiefly focus on the movement of infrared light around the objects in front of the them. In a recent interview with UploadVR, though, Oliver Kreylos, a researcher at the University of California, Davis, said he discovered how to pull recognizable images from the data the sensors collect. Getting the images isn’t trivial, but if you’re the kind of person who covers up their laptop’s webcam (and really, you should be), than you might want to cover that Oculus tracking sensor as well.
Videos by VICE
It takes a little work to get those images to show up. Kreylos discovered that Oculus effectively disguises the webcams by making them report to the computer that they’re something else when they’re hooked up through a USB port. By patching the driver, though, he was able to get the computer to recognize the sensor for the camera it truly is. He also found that Oculus was effectively tricking the PC into thinking it was using a smaller video format, but was able to override that by tinkering with it so as to only receive the raw data.
Kreylos believes his discovery in no way means Oculus owner Facebook is collecting images and video from all of the people who use the Rift. Facebook claims it doesn’t store any of the images, and Kreylos himself discovered that the images immediately get discarded once they travel through the USB, leaving only “extracted (x, y) LED positions” to work with.
Oculus said as much in a response to UploadVR.
“Frames captured by the sensor are processed to reduce things in the background so our infrared signals are clearly highlighted. Then, we immediately discard the frames. The sensor isn’t connected directly to the internet and we do not store any frames captured by the sensor, so there is no way for someone to access this information from our servers,” a representative said.
Unfortunately, that doesn’t mean there’s nothing to worry about. Kreylos believes that hackers could use malware to turn the sensors into working cameras, but right now it seems only about as threatening as the risks we take every day with our computers’ built-in or internal cameras.