Apple Vision Pro Can Be A New Vector For Attacks

A security flaw in Apple's Vision Pro mixed reality headset, known as GAZEploit (CVE-2024-40865), has recently come to light. While now patched, this vulnerability presented a significant privacy risk for users, potentially allowing attackers to infer what users were typing on a virtual keyboard simply by analyzing eye movements. The flaw was first identified by researchers from the University of Florida, the CertiK Skyfall Team, and Texas Tech University.

Here’s a closer look at what this vulnerability entails, who is at risk, and how to protect yourself.

Understanding the Vulnerability

GAZEploit takes advantage of a weakness in the way Apple’s Vision Pro headset uses gaze-controlled typing. In the headset’s virtual environment, users can type using their eye movements to control a virtual keyboard. This functionality relies on tracking the direction of the user's gaze to determine which keys are being selected.

The research team found that this feature could be exploited by malicious actors to infer sensitive information, such as passwords or private messages. The attack works by analyzing eye movements captured in the user’s virtual avatar—a digital representation of the user that mirrors their eye movements. With the help of a supervised learning model, attackers could use this gaze data to estimate keystrokes on the virtual keyboard.

In simpler terms, a hacker could observe the movement of a user’s eyes while they interact with the virtual keyboard in real-time and deduce what they are typing.

Apple responded to this vulnerability in its visionOS 1.3 update, released on July 29, 2024, by temporarily suspending the avatar (Persona) feature whenever the virtual keyboard is in use. This measure prevents gaze information from being exploited during typing sessions.

Who is at Risk?

This vulnerability impacts users of the Apple Vision Pro headset, especially those who share their virtual avatar in settings such as video calls, online meetings, or live streaming. The potential for an attack lies in the fact that an observer, whether a remote hacker or someone physically present, could analyze the avatar’s eye movements to infer what the user is typing.

Specifically, users who regularly engage in virtual collaboration, online meetings, or any application where their avatar is publicly visible would have been at a higher risk. In these environments, attackers could capture the avatar’s gaze patterns and use this information to perform keystroke inference, allowing them to retrieve sensitive information such as:

• Passwords

• Personal messages

• Financial information

Although the flaw has been patched, it highlights the broader risks associated with emerging technologies like mixed reality headsets, where new interaction methods such as eye tracking are increasingly being used.

How to Protect Yourself

Now that Apple has patched the vulnerability with visionOS 1.3, users are much safer, but it’s still important to understand best practices to protect against such vulnerabilities in the future.

1. Keep Your Devices Updated

• The most effective protection against this type of vulnerability is to keep your visionOS and other device software up to date. Apple has already fixed the GAZEploit flaw, and by ensuring you’re running the latest software, you benefit from all security improvements.

2. Limit Public Sharing of Your Avatar

• While this vulnerability has been patched, it’s wise to be cautious about sharing your virtual avatar in public or open environments. Limiting exposure to public-facing applications and reducing the use of avatars in high-stakes settings (e.g., entering sensitive information) can help minimize future risks.

3. Use Secure Input Methods for Sensitive Information

• When entering sensitive information such as passwords or financial details, consider using more traditional input methods (e.g., manual typing with a keyboard) rather than gaze-controlled virtual keyboards in public or shared environments. This reduces the likelihood of attacks that exploit eye-tracking data.

4. Monitor for Unusual Activity

• Keep an eye on your accounts for any unusual activity, especially if you believe you may have been using an avatar in a vulnerable environment before the patch. Signs of compromised accounts may include unauthorized logins or changes to account settings.

5. Be Cautious of New Interaction Technologies

• As we continue to integrate more advanced technologies like eye tracking into our daily lives, it's important to stay aware of the potential risks. Be mindful of how new interaction methods may expose you to vulnerabilities and adjust your usage habits accordingly.

Conclusion

The GAZEploit vulnerability is a stark reminder that as technology evolves, so do the risks associated with it. In this case, Apple’s Vision Pro mixed reality headset presented an opportunity for attackers to exploit gaze-tracking features to infer sensitive information, such as keystrokes on a virtual keyboard.

Although Apple has patched the flaw, users should remain vigilant, keeping their devices updated and being mindful of how they use public-facing virtual environments. By following these steps, you can help protect yourself from future vulnerabilities and continue to enjoy the benefits of advanced technologies safely.