September 13, 2024 at 11:21AM
A security flaw, GAZEploit, was discovered in Apple’s Vision Pro mixed reality headset, allowing attackers to infer data from the virtual keyboard using eye movements. Apple released visionOS 1.3 to fix the vulnerability, suspending the affected component, Presence. The attack could compromise user privacy by remotely inferring keystrokes from video avatars.
From the meeting notes, it appears that a security flaw affecting Apple’s Vision Pro mixed reality headset has been identified and patched. The flaw, known as GAZEploit, could allow malicious attackers to infer data entered on the device’s virtual keyboard by analyzing a user’s eye movements through a virtual avatar. Responsible disclosure led to Apple addressing the issue in visionOS 1.3, suspending the vulnerable component called Persona when the virtual keyboard is active. The attack could potentially compromise the privacy of users by allowing a threat actor to remotely analyze virtual avatars and extract sensitive information such as passwords. The attack was accomplished using a supervised learning model and gaze estimation to differentiate between typing sessions and other VR-related activities. This is the first known attack in its domain that exploits leaked gaze information to remotely perform keystroke inference.
Kindly note the information is a summary and is not verbatim from the source.