by 
Cybersecurity continues to grow in step with the need to keep consumers safe in their digital interactions. And the rise in nefarious activity and attempts to access sensitive personal data applies to spatial computing. Indeed, AR and VR’s immersiveness involves even greater levels of sensitive data than 2D media and web activity, including factors like eye tracking and other biometrics.
The need for data security in XR is also evident and inherent in one of its most popular formats: social lenses. Because these are shared and transmitted through social feeds and messaging mechanisms, they’re vulnerable in the same way that most messaging is. Similarly, social VR or immersive workplace collaboration apps involve peer-to-peer communication that could be spied on. So what can be done about it? Today, end-to-end encryption (E2EE) remains one of the best options.
Why You Need Robust Encryption Protocols in XR
Implementing a robust encryption protocol in XR environments isn’t just important, it’s critical in some cases. This is needed in some apps and experiences more than others. But generally speaking, if you share personally identifiable information or financial details (think: in-app purchases), you risk making yourself more vulnerable to cyberattacks or having your communications tampered with.
Hackers aren’t the only ones to worry about. Third parties like app developers or device manufacturers may be able to view and share your private communications without your knowledge or consent.
You don’t just put yourself at risk — the person you’re talking to could be targeted, too. Have you ever called an online friend by their real name instead of their account name? Do you discuss proprietary information with colleagues in XR workplace collaboration apps? Encryption is essential for maintaining your conversations’ privacy, confidentiality, and integrity.
Are Your Communications in XR Not Already Secure?
An XR environment has multiple entry points — your headset, controllers, and app of choice can act as gateways for hackers who exploit hardware, firmware, or software vulnerabilities. Every point of connection increases your attack surface.
Plus, since many device manufacturers, brands, and service providers do not take responsibility for third-party apps, even seemingly innocuous messaging platforms can pose a significant threat. You, like many others, might assume their security standards extend to the apps on their stores. They often do not.
Conventional E2EE functionality within XR platforms can be compromised by client-side scanning (CSS). This technology scans messages for matches to a database of objectionable content for safety — like preventing the spread of malware or child sexual abuse material — before they go to the intended recipient. It breaks the E2EE trust model.
XR is becoming more popular. Even expensive, high-end headsets like the Apple Vision Pro are attracting attention. According to a 2023 poll, more than 50% of respondents said they wanted to purchase it. While its high price point ultimately affected sales, tech giants are determined to break into the market, meaning E2EE adoption is increasingly pressing.
How End-to-End Encryption Secures Communications
E2EE secures data while it moves from your device to its intended destination, providing robust security against exfiltration and man-in-the-middle attacks like eavesdropping. Also, it makes details like your location and message timestamps more challenging to interpret.
When you use conventional E2EE for XR communications, you generate two cryptographic keys — one public and one private. You use the latter to decrypt information. When you start a conversation, your messages are turned into ciphertext. Only the recipient’s private key can turn them back into plaintext.
While advanced encryption standard (AES) is an industry-standard symmetric encryption algorithm, it is particularly suited for XR applications. Rivest-Shamir-Adleman (RSA) is an excellent asymmetric alternative. However, it’s best for smaller data transmissions.
Elliptic curve cryptography (ECC) is ideal for XR communications. Compared to RSA, it offers better security with smaller key sizes. A 256-bit ECC key provides the same protection as a 3072-bit RSA key. This feature makes it ideal for resource-constrained hardware like low-power XR headsets or battery-operated glasses.
Novel E2EE Protocols for XR Communications
Although conventional E2EE works well, hackers have learned workarounds over the years. Thankfully, modern alternatives exist. ARSecure — a novel AR-based E2EE messaging system proposed by researchers — encrypts and decrypts content before you send it. Since it uses speech-to-text, you aren’t vulnerable to keyloggers or CSS-induced privacy gaps.
The problem with ARSecure is that its authentication model relies solely on a password, forgoing biometrics or multi-factor authentication. You’d need to make it at least 12 characters long — using a mix of letters, symbols, and upper-case characters — to improve security.
GazePair is an alternative proposed framework for connecting your XR device to a network or platform. It uses eye-tracking technology and a spoken key sequence cue built into your headset to generate symmetric 64-bit encryption keys. It pairs faster and more securely than current methods. You don’t even need to remove your headset or take turns pairing.
The Challenges of Encrypting Communications in XR
Maintaining device performance and user experience are some of the biggest challenges of protecting message content with E2EE. Encryption protocols — especially asymmetric algorithms — are power and resource-intensive, adversely affecting battery life and loading speeds. Low-power hardware may die faster or experience an unusually high amount of lag.
Even if you can overlook minor performance drops, you should still consider the additional responsibility of securing encryption keys. While they’re securely stored on your device, your device can be hacked.
The most pressing concern is that E2EE may not technically provide end-to-end security if the recipient’s XR software, firmware, or hardware is compromised. It only protects messages until they reach their destination. If a hacker has already infiltrated or stolen a system, they may be able to view or exfiltrate data once it’s decrypted.
Not Every XR Platform Provides E2EE for Communication
Although securing XR is critical, many XR and mixed reality platforms do not use E2EE. Many don’t even leverage standard security frameworks. Do your research before using a service or trusting a brand to ensure your messages’ security.
Devin Partida is Editor-in-Chief at ReHack Magazine and editorial contributor at AR Insider. See her work here and follow her @rehackmagazine.
More from AR Insider…
