September 13, 2024 at 09:33AM
Apple has released a patch for its Vision Pro mixed reality headset after researchers demonstrated an attack method, known as GAZEploit, that could infer a user’s typed data by tracking their avatar’s eye movements. The vulnerability, tracked as CVE-2024-40865, has been patched with the release of visionOS 1.3, which suspends Persona when the virtual keyboard is active.
From the meeting notes, it is evident that Apple has addressed a security vulnerability in its Vision Pro mixed reality headset. Researchers from the University of Florida and Texas Tech University identified an attack method called GAZEploit that allowed an attacker to infer a Vision Pro user’s typing by tracking the eye movement of their avatar, known as Persona. Apple has patched this vulnerability with the release of visionOS 1.3 and has suspended Persona when the virtual keyboard is active to mitigate the risk.
The GAZEploit attack was demonstrated to achieve significant accuracy in inferring users’ keystrokes while typing with their gaze. Additionally, it is noted that this is not the first hack related to the Vision Pro headset, as a separate researcher recently demonstrated the ability to generate arbitrary objects in the environment by getting the user to visit a website.
These developments highlight the ongoing importance of addressing security vulnerabilities in mixed reality and virtual reality environments, and it underscores the need for ongoing vigilance to protect user data and experiences within these emerging technologies.