Adrian Johnson
TLDR:
- Security flaw in Apple’s Vision Pro mixed reality headset allowed attackers to infer data entered on the virtual keyboard
- Attack dubbed GAZEploit leveraged gaze-controlled typing
Details have emerged about a now-patched security flaw impacting Apple’s Vision Pro mixed reality headset that, if successfully exploited, could allow malicious attackers to infer data entered on the device’s virtual keyboard. The attack, dubbed GAZEploit, has been assigned the CVE identifier CVE-2024-40865. A group of academics from the University of Florida, CertiK Skyfall Team, and Texas Tech University discovered a vulnerability inherent in gaze-controlled text entry when users shared a virtual avatar. The attack leveraged gaze information to remotely perform keystroke inference, compromising user privacy. Apple addressed the issue in visionOS 1.3 by suspending a component called Persona when the virtual keyboard is active.
The researchers found that it was possible to analyze a virtual avatar’s eye movements to determine what the user was typing on the virtual keyboard. This could be exploited to extract sensitive information such as passwords. The GAZEploit attack utilized a supervised learning model trained on Persona recordings, eye aspect ratio (EAR), and eye gaze estimation to differentiate between typing sessions and other VR-related activities. By capturing and analyzing virtual avatar video, an attacker could reconstruct the typed keys remotely.
