Apple Vision Pro Vulnerability Exposes Virtual Keyboard Inputs to Attackers

September 15, 2024
1 min read




Apple Vision Pro Vulnerability Exposed Virtual Keyboard Inputs to Attackers

TLDR:

  • Security flaw in Apple’s Vision Pro mixed reality headset allowed attackers to infer data entered on the virtual keyboard
  • Attack dubbed GAZEploit leveraged gaze-controlled typing

Details have emerged about a now-patched security flaw impacting Apple’s Vision Pro mixed reality headset that, if successfully exploited, could allow malicious attackers to infer data entered on the device’s virtual keyboard. The attack, dubbed GAZEploit, has been assigned the CVE identifier CVE-2024-40865. A group of academics from the University of Florida, CertiK Skyfall Team, and Texas Tech University discovered a vulnerability inherent in gaze-controlled text entry when users shared a virtual avatar. The attack leveraged gaze information to remotely perform keystroke inference, compromising user privacy. Apple addressed the issue in visionOS 1.3 by suspending a component called Persona when the virtual keyboard is active.

The researchers found that it was possible to analyze a virtual avatar’s eye movements to determine what the user was typing on the virtual keyboard. This could be exploited to extract sensitive information such as passwords. The GAZEploit attack utilized a supervised learning model trained on Persona recordings, eye aspect ratio (EAR), and eye gaze estimation to differentiate between typing sessions and other VR-related activities. By capturing and analyzing virtual avatar video, an attacker could reconstruct the typed keys remotely.


Latest from Blog

Top 20 Linux Admin Tools for 2024

TLDR: Top Linux Admin Tools in 2024 Key points: Linux admin tools streamline system configurations, performance monitoring, and security management. Popular Linux admin tools include Webmin, Puppet, Zabbix, Nagios, and Ansible. Summary

Bogus job tempts aerospace, energy workers

TLDR: A North Korean cyberespionage group is posing as job recruiters to target employees in aerospace and energy sectors. Mandiant reports that the group uses fake job descriptions stored in malicious archives