During the summer in 2024, I went on holiday to Cornwall in the south of England. Whilst on holiday, I encountered multiple virtual reality (VR) arcade machines branded as Playnation/InspiredVR which contained a vulnerability allowing me to breakout of the VR interface and pop a Windows command prompt. A few weeks later I was at a coastal town in the north of England and again came across the same vulnerable virtual reality machine, however branded as another company.
Arcade Breakout
After playing on multiple VR machines throughout the week, there was one button that was constantly nagging for my attention.
Settings? In this case, it was shown on the main screen of the VR machine very similar to the VR Shark Chair Simulator. The reason for the settings button is to allow engineers software access to maintain and repair the VR arcades. Although security through obscurity should not be the primary or sole security measure, I do believe hiding the “Settings” button by default and requiring a physical button press from inside the locked machine to enable it, would have prevented me from finding the vulnerability, even though the vulnerability would still have been present within the software.
Likewise, the “Settings” button existed on all the other Movie Power VR arcade machines I encountered, such as the VR Space Racing Simulator.
Security was at least a consideration during development, as when you click “Settings”, it shows a password prompt.
As this is a touchscreen interface, any USB connections are internally locked within the machine. However, we can use the on-screen keyboard by clicking the button next to the password prompt.
At this point, you may naturally think the password was “password” or a company specific password such as “inspiredvr”, and you may well be right, as I never attempted to login with a guessed password. Immediately I noticed this is a Windows 10/11 On-Screen Keyboard. Instead of attempting to guess a password, I was looking at the On-Screen Keyboard’s buttons and “Options” caught my eye. What is options, and what does it do?
A windows pop-up shows, allowing you to customise the On-Screen Keyboard options. These options have no obvious security impact. But then I noticed something…
“Control whether the On-Screen Keyboard starts when I sign in” is blue! As we have all been pre-programmed to know with computers, blue text is a link, but a link to what?
A Windows Control Panel setting of course! At this point I was confident I could pop a cmd.exe and decided to stop there on the arcade machine, to avoid accidently causing any damage.
Once I got home, I replicated the same process on my Windows machine by opening the On-Screen Keyboard, clicking “Options”, then clicking “Control whether the On-Screen Keyboard starts when I sign in“.
On the arcade it appears the On-Screen Keyboard closes when the control panel opens. To re-open it, we can check the “Use On-Screen Keyboard” checkbox, and press Apply.
With the On-Screen Keyboard back, we can click in the search bar and type “cmd.exe”.
Upon pressing enter, a Windows command prompt opens.
Disclosure?
After my enjoyable trip “away from work”, I wanted to do the right thing and report the vulnerability to the manufacturer, which as usual, proved harder than discovering the vulnerability itself. I first reached out to Playnation/InspiredVR by e-mail on 27/08/2024 and again on 09/09/2024 with no responses. I messaged Inspired Entertainment, Inc. on LinkedIn on 02/09/2024 and I even phoned their customer support line who said they would get the security team to contact me back (spoiler, they never did).
Shortly after this I was at a seaside town on the East coast of England visiting the arcades, and I came across yet another vulnerable VR machine, however this one was branded as a different company to Playnation/InspiredVR. After spending a little time looking at the various brands on the arcade machine, I noticed one with Chinese writing on and underneath it read Movie Power. At this point I realised I was barking up the wrong tree, and needed to try to contact Movie Power as they appear to be the manufacturer creating the arcade machines before they get rebranded.
I first contacted Movie Power about the vulnerability via WhatsApp on 27/10/2024 as that is the main form of communication shown on the website. I was sent contact information for another number on WhatsApp which I tried contacting but got no response. I then sent an e-mail on 17/11/2024 with no response. Throughout the past year, I tried to contact Movie Power, and recently got a response from the second WhatsApp individual who stated he would forward the report on to the relevant department team.
After a period of time, I was informed that Movie Power knew about the vulnerability a long time ago and it has been solved in the new version.
I requested the unpatched and patched version numbers however it has been radio silence since this message was sent. Although Movie Power claims it was known a long time ago and was patched, as of late 2024 there were multiple vulnerable arcades across the UK from the very south of England to the North East.
Disclosure Summary
- 2024/08/27 – E-mailed Playnation/InspiredVR
- 2024/09/02 – Messaged Inspired Entertainment, Inc. on LinkedIn
- 2024/09/09 – E-mailed Playnation/InspiredVR
- 2024/10/27 – Messaged Movie Power on WhatsApp Number #1
- 2024/11/17 – E-mailed Movie Power
- 2025/04/13 – Messaged Movie Power on WhatsApp Number #2
- 2025/07/11 – Received WhatsApp message from Movie Power Number #2, sent report
- 2025/07/19 – Received WhatsApp message from Movie Power Number #2 stating vulnerability was known
If you own an arcade and have Movie Power arcade machines, I would strongly recommend you update your machine to the latest version, but also perform the steps I’ve outlined previously in order to verify that it is not possible anymore.
I have no knowledge on how large Movie Power‘s customer base is, however within the UK alone, Playnation Ltd has posted arcade job listings at the following locations:
- Blue Dolphin Park
- Skirlington Holiday Park
- Seton Sands
- Narin Holiday Park
- Grannie’s Holiday Park
- Drimsynie
- Withernsea
- Skipsea, Yorkshire
- Solway, Scotland
- Craig Tara, Ayr
- Berwick Holiday Village in Berwick Upon Tweed
- Manor Park
- Kiln Park
- Hunters Quay Holiday Village
- Quay West, South Wales
- … the list goes on
Have you ever encountered a Movie Power VR machine outside the UK? I would love to know how far and wide this vulnerability reaches, feel free to tweet/message me at https://x.com/_mccaulay. That’s all for now, until my next holiday!