Apple’s Vision Pro, a virtual reality device that allows users to interact with others in virtual environments, has recently been found to have a security flaw that could have exposed users’ sensitive data. This flaw, known as the GAZEploit attack, was discovered by a group of computer scientists from the University of Florida. They found that by tracking the eye movements of a user’s virtual avatar, they could determine what the user was typing on the Vision Pro’s virtual keyboard with a high degree of accuracy.
The researchers found that users tend to direct their gaze onto specific keys before clicking them, allowing them to construct an algorithm that could identify what the user was typing. In their tests, the researchers were able to accurately identify users’ passwords 77% of the time and accurately detect the content of messages 92% of the time. This level of accuracy is concerning, as it means that a malicious hacker could potentially steal sensitive information from Vision Pro users.
Fortunately, the researchers responsibly disclosed the vulnerability to Apple, and the company promptly addressed it in the visionOS 1.3 update, which was released in July. According to the release notes, Apple fixed the flaw by suspending the virtual avatar’s eye tracking feature when the virtual keyboard is active. Therefore, it is crucial for Vision Pro users to update to the latest version of visionOS to protect themselves from this security vulnerability.
While Apple has taken steps to address the issue, the discovery of this security flaw raises questions about the potential risks of using virtual reality devices. The ability for hackers to infer information by observing a virtual version of an individual is concerning, and it highlights the importance of ensuring the security of virtual reality platforms.
One of the particularly dangerous aspects of the GAZEploit attack is that it only requires a video recording of someone’s virtual avatar while they are typing. This means that even if a user has updated to the latest version of visionOS, an attacker could still use an older video recording to exploit the vulnerability. To mitigate this risk, it is advisable to remove any publicly available videos where the user’s virtual avatar is visible while typing.
It is important to note that there have been no reported instances of this attack being used in the real world. However, the potential for its use highlights the need for vigilance and caution when using virtual reality devices. It also underscores the importance of companies like Apple quickly addressing and fixing security vulnerabilities to protect their users.
In conclusion, the discovery of the GAZEploit attack on Apple’s Vision Pro virtual reality device raises concerns about the security of such platforms. The ability for hackers to infer sensitive information by observing a user’s virtual avatar is a significant threat. While Apple has addressed the vulnerability in a timely manner, users should ensure they have updated to the latest version of visionOS to protect themselves. Additionally, removing publicly available videos where the virtual avatar is visible while typing can help mitigate the risk. As virtual reality technology continues to evolve, it is crucial for companies to prioritize the security and privacy of their users.