VR: virtual vulnerability

Michael Covington at Jamf explains why securing virtual reality headsets is a mission-critical priority

 

To many, augmented-reality and virtual-reality headsets are still a consumer gadget for gamers who want a more immersive experience in shooting zombies and flying fighter jets. While efforts such as Meta’s Horizon Workshops are pushing for a VR office, progress has been slow.  

 

However, in some physically orientated industries where precision and safety are paramount, the technology has rapidly evolved beyond gaming and entertainment to become an essential tool.

 

AR/VR is redefining operations in many critical sectors, from training critical infrastructure technicians and surgeons to enhancing teleoperated robotics. 

 

Their growing role in high-stakes functions elevates AR/VR devices beyond novelty status - they are now mission-critical tools fundamental to business operations. This shift brings new responsibilities, with organisations needing to ensure these devices remain secure and operational.

 

VR and AR in critical environments 

The ability to create safe, cost-effective training environments is one of the most widespread use cases for these devices. 

 

The combination of overlay and real-world view of AR is tremendously useful. For example, AR in manufacturing or power plants allows a repair tech to go into virtual space and reference manuals and get guidance without having to lug all the books or assistants along. 

 

Implementing AR in surgery means a doctor gets to look directly at the patient, not just a virtual replica. Meanwhile, in aviation AR means that the pilots can work around a PHYSICAL space while also taking part in a simulation.

 

Similarly, VR is revolutionising engineer training in nuclear power plants. Immersive simulations allow staff to practise intricate procedures without exposure to the hazardous environment of a reactor core. Virtual training spaces are also far more cost-efficient than physical replicas, with Nordic operator Fortnum estimating its purpose-built VR training room cost 1/10th of a traditional setup.

 

Surgeons also use VR for pre-surgical planning and training, while therapists use it to simulate patient interactions. VR has also proven valuable in treating conditions like PTSD or reassuring patients by demonstrating treatments.

 

Mission-critical VR and AR devices

Alongside a solid foundation in enhancing training and simulation, AR and VR are also increasingly deployed in various frontline uses. The technology is especially valuable for teleoperations, enabling operators to remotely control robots with greater immersion and precision.

 

VR and AR has enormous potential in fields including search and rescue, cleanup operations for hazards like chemical spills and radiation leaks, and exploration for natural resources such as oil and gas.

 

Transitioning from training to active operations repositions headsets as mission-critical devices. These are assets where failure could jeopardise safety, disrupt operations, or lead to significant financial losses. They are not simply tools of convenience - they are essential to a business’s ability to function.

 

VR/AR headsets increasingly fit this definition, especially in high-stakes industries. If hardware or software is compromised or rendered unusable, workers will be unable to complete critical operations or will need to fall back on backup plans. 

 

As such, headsets demand the same prioritisation for security and resilience as other established mission-critical devices.

 

Security risks that impact VR and AR headsets 

Cyber-security is a key element of keeping mission-critical devices safe and operational. While headsets offer immense benefits, they also present unique security challenges, especially in critical environments. 

 

As mission-critical assets, VR and AR devices are vulnerable to disruption from cyber-attacks that impact the end-user organisation and the device vendor. And since denial-of-service attacks could potentially disable the use of these headsets, organisations are encouraged to factor them into resiliency planning.

 

Additionally, these devices represent a potential cyber-risk, expanding an organisation’s attack surface. Unsecured systems could be exploited, putting both data on the device and access on the organisation’s network at risk.

 

The diversity of VR and AR ecosystems further complicates security. Organisations may use devices from different manufacturers, each with its own software standards and vulnerabilities​. This lack of standardisation increases the difficulty of applying consistent security measures across all devices.

 

Another challenge is balancing security with usability. For example, enforcing updates is often essential, but a poorly timed update could render devices unusable during key operations. In industries where uptime is non-negotiable, such as aviation or power, conflicting demands for security and performance must be carefully managed​.

 

Securing VR and AR devices

Securing VR/VR headsets in critical environments requires a layered approach that balances robust cyber-security with operational resilience.

 

The first step is supplier vetting. Organisations must evaluate the security practices of hardware and software vendors to ensure devices meet minimum security standards before deployment​. 

 

From the moment a headset is unboxed, it should be enrolled in a centralised device management system to apply encryption, configure device settings, and ensure the latest security patches are applied. 

 

Ongoing cyber-hygiene is equally important. This includes enforcing regular updates to firmware and applications. However, updates should align with uptime strategies to avoid disruptions during critical operations​. Scheduling updates during maintenance windows or maintaining backup devices can ensure continuity even when primary systems are offline.

 

A comprehensive asset inventory is essential for identifying which headsets are mission critical. Mapping these devices to the applications they support allows organisations to pinpoint vulnerabilities and prioritise their protection​. For instance, a headset used for nuclear reactor training or critical remote operations demands stricter controls than one used for general staff training.

 

Organisations should also implement incident response plans tailored to VR and AR devices. This includes protocols for quickly isolating compromised devices, restoring operations with backup systems, and investigating the root cause of any security failures​.

 

Finally, educating users is critical. Operators must understand best practices for using VR securely, such as implementing proper configurations and avoiding unauthorised app installations. These measures ensure that VR headsets remain secure while continuing to deliver critical value in high-stakes environments.

 

The future of VR security 

As industries embrace virtual reality, its applications will only grow. Emerging use cases include remote collaboration in construction or engineering, where VR headsets can provide real-time visualisations of complex projects or precision maintenance in high-risk environments like offshore oil rigs. 

 

VR and AR headsets are no longer just consumer gadgets; they are mission-critical tools that drive safety and efficiency in high-stakes industries. Organisations must secure these devices with the same rigour as any critical asset to unlock their full potential. Proactive measures today will safeguard operations - and even lives - tomorrow. 

 

---

 

Michael Covington is VP of Strategy at Jamf 

 

Main image courtesy of iStockPhoto.com and gorodenkoff