AR/VR devices are becoming prevalent, permeating different facets of our daily lives. Nevertheless, this prevalence presents fresh security and privacy hurdles as users increasingly employ these devices to manage sensitive data such as passwords, personal information, and financial data in potentially insecure settings. Due to these concerns, there has been an increasing trend in the literature to analyze security and privacy threats for AR/VR by proposing novel attack strategies. While effective and worrisome, the existing body of work has focused mostly on internal threats for AR/VR devices, such as malicious sensors, apps, or firmware. However, in this paper, we focus on a new facet of this body of research by designing an external attacker. The key observation is that although the virtual world remains concealed from an external observer (i.e., an adversary), the physical interactions required to input commands into the VR world are observable and create a side channel. Building upon this finding, we conduct a practical attack, named LensHack, on Quest 2 VR devices. By employing our algorithm and an external camera (Blink), we capture and analyze the interactions between the user and the device, successfully extracting typed characters with over 80% accuracy.
