A VPN is not expected to be on the Oculus Quest. The US Congress may have some new questions to ask Facebook over security concerns exposed by new Virtual Reality devices which Facebook intends to ship to billions of users.

The Oculus Quest, Facebook’s flagship product, is not expected to have a VPN or to care about your security at all. This may be deliberate judging by other news stories about Facebook.

A VPN is not expected to be on the Oculus Quest because there is no VPN on the Oculus Go and Facebook’s attitude towards your security in general across the entire company can objectively only be described as malicious. This is not an opinion as you will see by reading the various news sources in this article. This is a fact and this is true across all Facebook products. Similar standalone products by the Lenovo Mirage Solo and Vive Focus plus by comparison do offer VPN or virtual private network.

Without a VPN it is much easier for rogue elements to spy on your traffic, and execute man in the middle as well as man in the room attacks. Especially with the WPA krack attack

“Facebook has admitted it misled the public when it claimed that only 5 per cent of the users of its banned tracking app were teenagers.

“The real figure, the Silicon Valley wunderkind has since confirmed to US Senator Mark Warner (D-VA), was nearly four times higher: 18 per cent.

“That wasn’t the only knowingly false response that Facebook made when it emerged that the antisocial network had secretly bypassed the Apple App Store’s privacy rules, and used its enterprise developer certificate to create a VPN-based data-slurping iOS application that paid adults and teenagers to monitor their online activities. The enterprise cert should only be used to sign and release internal apps, not ones for the general public, which should go through Apple’s App Store checks and approval process.”

In all likelyhood it is Facebook’s intent to track the behavior of teens and children on their Oculus Quest product, only without Apple to stop them this time.

On top of that Facebook lied about spying on teens. They lied about it. This proves that we can’t take Facebook at their word.

Facebook admits 18% of Research spyware users were teens, not <5%

On February 19th it was revealed that security researchers had managed to execute a man in the room hack against the popular Virtual Reality app called BigScreen. While this app and it’s underlying vulnerability in Unity has been patched, this should not be considered the end of security problems with Virtual Reality and Augmented Reality but only the beginning.

“Bigscreen, which describes itself as a “virtual living room,” enables users to watch movies, collaborate on projects together and more.

“Without users’ knowledge and consent — and without tricking users into downloading software or granting access to the computer — University of New Haven researchers were able to:

“Turn on user microphones and listen to private conversations
Join any VR room including private rooms
Create a replicating worm that infects users as soon as they enter a room with other VR users
View user computer screens in real time
Send messages on a user’s behalf
Download and run programs — including malware — onto user computers
Join users in VR while remaining invisible. This novel attack was termed as a Man-In-The-Room (MITR) attack
Phish users into downloading fake VR drivers

“University of New Haven Researchers Discover Critical Vulnerabilities in Popular Virtual Reality Application”

The evidence that the fear of being hacked in Virtual Reality on devices like the Oculus Go, Oculus Quest, and Oculus Rift S isn’t over can be illustrated by examining the concerns on the Immersive-Web specification for WebXR

Under considerations and concerns the Design Doc for WebXR says this

“Concerns & Considerations
Potential Threats
Spoofing: Similar to the concerns about fullscreen, an immersive application could imitate browser or OS/platform UI in an attempt to obtain information or privileged access from the user.
Spam: Obnoxious immersive ads could be displayed without the user having made any decision or having the opportunity to evaluate the page.
Malicious actions: Users could be “rickrolled” or otherwise presented with intentionally disorienting or nauseating content.
Well-intentioned but undesirable content: Even content from good actors may not be desirable for all users or audiences.”

The Design Doc for WebXR excerpt Potential Threats

Last week 540 million Facebook records were found unprotected in the cloud by security researchers at UpGuard

Facebook was also caught exhibiting “beyond sketchy” behavior in asking for some new users email passwords

Until recently Facebook allowed 74 cybercrime groups with 385,000 members to sell credit cards, passwords, and hacking services.

Facebook is also under global suspicion for the slow response to removing a terrorist video content and only banishing terrorist content after that terrorist video was live streamed to it’s network. The fact that terrorists may have infiltrated Facebook to protect white nationalist terrorists is all the more reason why we should be concerned about Facebook’s lack of concern for our security with its products.

“Mark Zuckerberg Thinks You’ve Napped Through the Last Decade”

Facebook is being criticized by security researchers for worsening user security by merging Facebook, Whatsapp, and Instagram

The bottomline is that Facebook’s new Virtual Reality products may expose you to having your identity stolen, your privacy stolen, your security stolen, and based on all available facts Facebook does not seem to care, it seems to be on purpose.