A novel security vulnerability dubbed “GAZEploit” has been discovered that could allow hackers to capture keystrokes from Apple Vision Pro’s virtual keyboards.
The attack exploits the eye-tracking technology used for gaze-based typing on Apple’s mixed-reality headset.
Researchers from the University of Florida, CertiK Skyfall Team, and Texas Tech University developed GAZEploit, which analyzes eye movements of a user’s virtual avatar to infer what is being typed.
The attack works by recording the movements of the avatar’s eyes during FaceTime calls or other scenarios where the avatar is visible.
GAZEploit focuses on two key biometric indicators – the eye aspect ratio (EAR), which measures how wide a person’s eyes are open, and eye gaze estimation, which tracks where they’re looking on the screen.
By analyzing these factors, attackers can determine when a user is typing and even pinpoint specific keys being selected.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
The researchers trained a machine learning model on data from 30 participants and achieved 98% accuracy in identifying typing sessions. For predicting individual keystrokes, they reported 85.9% accuracy and 96.8% recall.
What makes GAZEploit particularly concerning is that it can be carried out remotely by simply analyzing video footage of the avatar.
This means sensitive information like passwords or private messages could potentially be compromised during everyday activities like virtual meetings or live streaming.
Apple has already taken steps to address the vulnerability, releasing a patch in visionOS 1.3 in July 2024. However, the discovery highlights the unique privacy challenges posed by emerging VR/AR technologies that rely on biometric data.
To protect against similar attacks, experts recommend avoiding entering sensitive information via eye-tracking methods in VR environments when possible. Using physical keyboards or other secure input methods is advised for inputting passwords and personal data.
The GAZEploit research underscores the need for robust privacy safeguards as VR technology becomes more prevalent. As these immersive systems collect increasingly rich behavioral data, striking a balance between user experience and data protection will be crucial for widespread adoption.
While Apple has moved quickly to patch this specific vulnerability, the incident reminds us that novel attack vectors may continue to emerge as VR/AR capabilities expand.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar