I Know What You Did Last Summer: Identifying VR User Activity Through VR Network Traffic

Virtual Reality (VR) technology has gained substantial traction and has the potential to transform a number of industries, including education, entertainment, and professional sectors. Nevertheless, concerns have arisen about the security and privacy implications of VR applications and the impact that they might have on users. In this paper, we investigate the following overarching research question: can VR applications and VR user activities in the context of such applications (e.g., manipulating virtual objects, walking, talking, flying) be identified based on the (potentially encrypted) network traffic that is generated by VR headsets during the operation of VR applications? To answer this question, we collect network traffic data from 25 VR applications running on the Meta Quest Pro headset and identify characteristics of the generated network traffic, which we subsequently use to train off-the-shelf Machine Learning (ML) models. Our results indicate that through the use of ML models, we can identify the VR applications being used with an accuracy of 92.4% and the VR user activities performed with an accuracy of 91%. Furthermore, our results demonstrate that an attacker does not need to collect large amounts of network traffic data for each VR application to carry out such an attack. Specifically, an attacker only needs to collect less than 10 minutes of network traffic data for each VR application in order to identify applications with an accuracy higher than 90% and VR user activities with an accuracy higher than 88%.