Apple Vision Pro Vulnerability Exposes Virtual Keyboard Inputs to Attackers

September 15, 2024
1 min read




Apple Vision Pro Vulnerability Exposed Virtual Keyboard Inputs to Attackers

TLDR:

  • Security flaw in Apple’s Vision Pro mixed reality headset allowed attackers to infer data entered on the virtual keyboard
  • Attack dubbed GAZEploit leveraged gaze-controlled typing

Details have emerged about a now-patched security flaw impacting Apple’s Vision Pro mixed reality headset that, if successfully exploited, could allow malicious attackers to infer data entered on the device’s virtual keyboard. The attack, dubbed GAZEploit, has been assigned the CVE identifier CVE-2024-40865. A group of academics from the University of Florida, CertiK Skyfall Team, and Texas Tech University discovered a vulnerability inherent in gaze-controlled text entry when users shared a virtual avatar. The attack leveraged gaze information to remotely perform keystroke inference, compromising user privacy. Apple addressed the issue in visionOS 1.3 by suspending a component called Persona when the virtual keyboard is active.

The researchers found that it was possible to analyze a virtual avatar’s eye movements to determine what the user was typing on the virtual keyboard. This could be exploited to extract sensitive information such as passwords. The GAZEploit attack utilized a supervised learning model trained on Persona recordings, eye aspect ratio (EAR), and eye gaze estimation to differentiate between typing sessions and other VR-related activities. By capturing and analyzing virtual avatar video, an attacker could reconstruct the typed keys remotely.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and