A security flaw in Apple’s Vision Pro mixed reality headset [2] [4] [9], known as GAZEploit and identified as CVE-2024-40865, was recently discovered by researchers.
Description
This exploit allows hackers to track users’ eye movements during video calls [7], enabling them to decipher passwords, PINs [2] [6] [8] [10], and messages typed with the eyes [6] [8]. By analyzing the avatar’s eye movements [5] [7] [9], attackers can accurately detect the keys being typed on the virtual keyboard [7]. The vulnerability was promptly addressed in visionOS 1.3, released in July [10], by suspending the display of avatars when the virtual keyboard is active, effectively mitigating the threat and preventing potential privacy breaches. GAZEploit can also spy on messages and website addresses typed by Vision Pro users during video calls [7], allowing for the identification of correct letters typed in passwords 77% of the time within five guesses and 92% of the time in messages [6]. Although the proof-of-concept attack was not exploited in the wild [5], Vision Pro users are advised to update to visionOS 1.3 or later to protect against potential attacks [5]. This incident highlights the risks of biometric data exposure in the surveillance industry and is the first known attack to exploit people’s “gaze” data in this manner. The researchers involved in discovering the vulnerability were from various universities and organizations [8], including the University of Florida, Texas Tech University [5], and Certik [5]. The attack, named GAZEploit [1] [3] [4] [6] [7] [8] [10], targeted the Persona feature of the Vision Pro mixed-reality headset, utilizing the inner cameras to capture virtual avatars’ eye movements and reconstruct keyboard inputs made using eye tracking. Apple has since patched the vulnerability with the visionOS 1.3 software update [1] [3], temporarily hiding avatars during virtual keyboard use to prevent exploitation [1]. This attack underscores the risks of biometric data leaks in wearable devices and the potential privacy implications for users [1].
Conclusion
This incident serves as a reminder of the importance of promptly addressing security vulnerabilities in wearable devices to protect user privacy. The swift action taken by Apple to release visionOS 1.3 demonstrates the company’s commitment to mitigating potential threats and safeguarding user data. Moving forward, it is crucial for manufacturers to prioritize security measures to prevent similar exploits and ensure the protection of sensitive biometric data.
References
[1] https://www.heise.de/news/Vision-Pro-Eyetracking-erlaubt-Rekonstruktion-von-Passwoertern-theoretisch-9867131.html
[2] https://www.techradar.com/pro/the-apple-vision-pro-has-a-worrying-security-flaw-hackers-could-easily-guess-passwords-based-on-eye-movements
[3] https://www.heise.de/en/news/Vision-Pro-eye-tracking-allows-passwords-to-be-reconstructed-theoretically-9867534.html
[4] https://www.redsecuretech.co.uk/blog/post/gazeploit-attack-cve-2024-40865-exploits-gaze-to-infer-typing-in-vision-pro/136
[5] https://www.macrumors.com/2024/09/12/vision-pro-persona-typing-security-vulnerability/
[6] https://www.wired.com/story/apple-vision-pro-persona-eye-tracking-spy-typing/
[7] https://9to5mac.com/2024/09/12/gazeploit-vision-pro-passwords/
[8] https://www.mactrast.com/2024/09/vision-pro-security-flaw-that-could-expose-what-you-typed-fixed-in-visionos-1-3/
[9] https://thehackernews.com/2024/09/apple-vision-pro-vulnerability-exposed.html
[10] https://www.macobserver.com/apple-vision/your-eye-movement-on-apple-vision-pro-can-give-away-your-passwords/
