HoloPair: Securing Shared Augmented Reality Using Microsoft HoloLens

Augmented Reality (AR) devices continuously scan their environment in order to naturally overlay virtual objects onto user's view of the physical world. In contrast to Virtual Reality, where one's environment is fully replaced with a virtual one, one of AR's "killer features" is co-located collaboration, in which multiple users interact with the same combination of virtual and real objects. Microsoft recently released HoloLens, the first consumer-ready augmented reality headset that needs no outside markers to achieve precise inside-out spatial mapping, which allows centimeter-scale hologram positioning. However, despite many applications published on the Windows Mixed Reality platform that rely on direct communication between AR devices, there currently exists no implementation or achievable proposal for secure direct pairing of two unassociated headsets. As augmented reality gets into mainstream, this omission exposes current and future users to a range of avoidable attacks. In order to close this real-world gap in both theory and engineering practice, in this paper we design and evaluate HoloPair, a system for secure and usable pairing of two AR headsets. We propose a pairing protocol and build a working prototype to experimentally evaluate its security guarantees, usability, and system performance. By running a user study with a total of 22 participants, we show that the system achieves high rates of attack detection, short pairing times, and a high average usability score. Moreover, in order to make an immediate impact on the wider developer community, we have published the full implementation and source code of our prototype, which is currently under consideration to be included in the official HoloLens development toolkit.

[1]  Yang Wang,et al.  Serial hook-ups: a comparative usability study of secure device pairing methods , 2009, SOUPS.

[2]  A. W. Roscoe,et al.  Usability and security of out-of-band channels in secure device pairing protocols , 2009, SOUPS.

[3]  Helen J. Wang,et al.  SurroundWeb: Mitigating Privacy Concerns in a 3D Web Browser , 2015, 2015 IEEE Symposium on Security and Privacy.

[4]  J. B. Brooke,et al.  SUS: A 'Quick and Dirty' Usability Scale , 1996 .

[5]  Adrian Perrig,et al.  SafeSlinger: easy-to-use and secure public-key exchange , 2013, MobiCom.

[6]  M. Banusree MIXED REALITY , 2016 .

[7]  Tadayoshi Kohno,et al.  Securing Augmented Reality Output , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[8]  Micah Sherr,et al.  Hidden Voice Commands , 2016, USENIX Security Symposium.

[9]  René Mayrhofer,et al.  Shake Well Before Use: Intuitive and Secure Pairing of Mobile Devices , 2009, IEEE Transactions on Mobile Computing.

[10]  Ning Zhang,et al.  Looks Good To Me: Authentication for Augmented Reality , 2016, TrustED@CCS.

[11]  Philip T. Kortum,et al.  Determining what individual SUS scores mean: adding an adjective rating scale , 2009 .

[12]  Helen J. Wang,et al.  Enabling Fine-Grained Permissions for Augmented Reality Applications with Recognizers , 2013, USENIX Security Symposium.

[13]  Serge Vaudenay,et al.  Secure Communications over Insecure Channels Based on Short Authenticated Strings , 2005, CRYPTO.

[14]  Yina Ye,et al.  Checksum gestures: continuous gestures as an out-of-band channel for secure pairing , 2015, UbiComp.

[15]  Tadayoshi Kohno,et al.  How to Safely Augment Reality: Challenges and Directions , 2016, HotMobile.

[16]  Blase Ur,et al.  Can Unicorns Help Users Compare Crypto Key Fingerprints? , 2017, CHI.

[17]  Vitaly Shmatikov,et al.  No Escape From Reality: Security and Privacy of Augmented Reality Browsers , 2015, WWW.