TLDR: New GAZEploit Attack Lets Hackers Capture Keystrokes from Apple Vision Pro
- A vulnerability known as GAZEploit allows hackers to capture keystrokes from Apple Vision Pro’s virtual keyboards by analyzing eye movements.
- The attack focuses on biometric indicators like the eye aspect ratio and eye gaze estimation to infer what is being typed.
A novel security vulnerability dubbed “GAZEploit” has been discovered that could allow hackers to capture keystrokes from Apple Vision Pro’s virtual keyboards. The attack exploits the eye-tracking technology used for gaze-based typing on Apple’s mixed-reality headset. Researchers from the University of Florida, CertiK Skyfall Team, and Texas Tech University developed GAZEploit, which analyzes eye movements of a user’s virtual avatar to infer what is being typed. The attack works by recording the movements of the avatar’s eyes during FaceTime calls or other scenarios where the avatar is visible.
The researchers trained a machine learning model on data from 30 participants and achieved 98% accuracy in identifying typing sessions. For predicting individual keystrokes, they reported 85.9% accuracy and 96.8% recall. Apple has released a patch to address the vulnerability in visionOS 1.3 in July 2024. Experts recommend avoiding entering sensitive information via eye-tracking methods in VR environments when possible to protect against similar attacks.
The GAZEploit research highlights the need for robust privacy safeguards as VR technology becomes more prevalent. While Apple has addressed this specific vulnerability, it serves as a reminder of the emerging privacy challenges posed by VR/AR technologies that rely on biometric data.