CPATH-2026-0012 · SMART GLASSES AR

Inception Attack: malicious VR app hijacks the entire Meta Quest environment (UChicago, 2024)

Provisional. Candidate score (CFSE Consequence Paths 1.0-candidate); pending independent review. Treat as a structured second opinion, not a final rating.

Paths CRITICAL Dominant consequence PERCEPTION_TO_ACTION perception · Evidence EV:3 (reproduced / report-backed) · Liveness MITIGATED

CPATH ID	`CPATH-2026-0012`
CVE(s)	—
Device / class	Inception Attack: malicious VR app hijacks the entire Meta Quest environment (UChicago, 2024) (SMART GLASSES AR)
Vendor	Meta
Dominant consequence	`PERCEPTION_TO_ACTION` (perception)
Paths verdict	CRITICAL (worst of 2 paths)
Published baseline	No public baseline score is published for this case. The registry still records the reachable consequence path for review.
Baseline relationship	⊘ no published baseline
Consequence dimension(s)	#2 #7 (what these mean)
Scored	2026-06-03 · CFSE Consequence Paths v1.0-candidate · validation: provisional
Baseline confidence	low

Citation review open. One or more source labels do not yet include public links. Treat those facts as needing citation review before relying on them.

Consequence Paths

Paths Assessment

perception

`PERCEPTION_TO_ACTION`

CRITICAL

Reachability RE:2

Complexity EC:2

Consequence PERCEPTION_TO_ACTION

Scale SR:3 / SX:3

Verdict CRITICAL

Reachability 2

Complexity 2

Exposure 2

Physical / safety 3

Data / perception 4

Authority 2

Chainability 4

Reuse scale 3

Execution scale 3

Recovery 3

Evidence EV:3 · reproduced / report-backed

Liveness MITIGATED

Vector

CPATH:1.0-candidate/TT:PERCEPTION_TO_ACTION/RE:2/EC:2/EX:2/PH:3/DP:4/AT:2/CH:4/SR:3/SX:3/OR:3/EV:3/LS:MITIGATED

perception

`PERCEPTION_PRIVACY`

CRITICAL

Reachability RE:2

Complexity EC:2

Consequence PERCEPTION_PRIVACY

Scale SR:3 / SX:3

Verdict CRITICAL

Reachability 2

Complexity 2

Exposure 2

Physical / safety 3

Data / perception 4

Authority 2

Chainability 4

Reuse scale 3

Execution scale 3

Recovery 3

Evidence EV:3 · reproduced / report-backed

Liveness MITIGATED

Vector

CPATH:1.0-candidate/TT:PERCEPTION_PRIVACY/RE:2/EC:2/EX:2/PH:3/DP:4/AT:2/CH:4/SR:3/SX:3/OR:3/EV:3/LS:MITIGATED

Assessment

CFSE Consequence Paths assesses Inception Attack: malicious VR app hijacks the entire Meta Quest environment (UChicago, 2024) at CRITICAL — the worst of 2 risk paths (perception). The dominant consequence is manipulated perception that drives action.

Vulnerability

Inception Attack: malicious VR app hijacks the entire Meta Quest environment (UChicago, 2024). Reported attack vector: ADJACENT (same Wi-Fi network) plus local foothold via developer mode/sideloading.

CFSE Consequence Paths analysis

The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.

`PERCEPTION_TO_ACTION` → CRITICAL

CPATH:1.0-candidate/TT:PERCEPTION_TO_ACTION/RE:2/EC:2/EX:2/PH:3/DP:4/AT:2/CH:4/SR:3/SX:3/OR:3/EV:3/LS:MITIGATED

Exposure EX=2 (reachability and complexity-bound) · bands PH=HIGH · DP=CRITICAL · AT=ELEVATED → base CRITICAL → assessed CRITICAL.

Attacker fully mediates the immersive visual/audio field (pixel-perfect cloned home + apps). The manipulated perception is the wearer’s entire reality, driving physical movement and trust decisions (e.g., altered bank-transfer amounts shown in VR browser, AI-cloned call participants). PH:3 because controlling the visual field can disorient and induce unsafe physical motion / safety-margin reduction, but no demonstrated credible injury/dangerous actuation (PH:4 reserved). RE:2 requires presence on victim Wi-Fi plus device in developer mode (adjacent/local-net, no internet-default exposure). EC:2 advanced-but-reproducible (network foothold + sideload + overlay app, demonstrated in lab). AT:2 — operates as a layer above the OS (full control of perceived session and MITM of all I/O), not kernel/root-of-trust/signing compromise, so capped at bounded-component/session authority despite breadth. DP:4 and perception_feeds_action=true: the exposed/altered world-model state (rendered reality, gaze/motion-relevant interaction) directly drives the human’s safety-relevant perception and action. CH:4, boundary_crossing=true: bridges network -> app overlay -> device perception -> user physical/decision domain. SR:3 reusable payload across Quest models tested (portable app artifact, not a shared signing key). SX:3 deployment-wide given a compromised shared network and dev-mode precondition, not fully fleet-scale remote. OR:3 high stealth, hard to observe once established, recoverable by config (disable dev mode/untrusted networks) without fleet reprovision. EV:3 reproduced by researchers.

`PERCEPTION_PRIVACY` → CRITICAL

CPATH:1.0-candidate/TT:PERCEPTION_PRIVACY/RE:2/EC:2/EX:2/PH:3/DP:4/AT:2/CH:4/SR:3/SX:3/OR:3/EV:3/LS:MITIGATED

Exposure EX=2 (reachability and complexity-bound) · bands PH=HIGH · DP=CRITICAL · AT=ELEVATED → base CRITICAL · caps privacy-only cap → assessed CRITICAL.

Surveillance/MITM capture of all in-VR I/O: keystrokes, credentials, voice, motion, gestures, browsing, and live interactions including biometric/spatial-perception streams. DP:4 — live world-model/biometric/motion/gaze-relevant and credential data are captured; this is the headset’s perception state.
perception_feeds_action — false here because this path is the privacy/exfiltration terminal (observe and record), distinct from the perception-manipulation->action path. PH:1 nuisance-level for the pure-capture consequence (no direct safety effect from observation alone). RE:2/EC:2 same positioning and reproducible-but-moderate-effort foothold as the manipulation path. AT:2 — bounded MITM position above the OS, not a trust-root or admin/firmware authority. CH:4 and boundary_crossing=true: captured perception/credentials are a reusable cross-domain bridge (credentials usable elsewhere). SR:3 reusable payload across tested models. SX:3 deployment-wide on a shared compromised network with dev-mode setup. OR:3 stealthy and hard to detect, recoverable by config rather than fleet action. EV:3 reproduced.

Published baseline

No public baseline score has been published for this finding. It belongs to a perception/surveillance harm class that is often outside published vulnerability-scoring coverage. The registry records the reachable consequence path for review.

Sources

source citation pending public URL

Score it yourself in the calculator Review this score

Cite this entry:

CFSE Consequence Paths Registry v1.0-candidate, entry CPATH-2026-0012 (“Inception Attack: malicious VR app hijacks the entire Meta Quest environment (UChicago, 2024)”), paths.cfse.ai/CPATH-2026-0012 (published 2026-06-03).