Recent information has surfaced about a previously fixed security weakness that impacts Apple’s Vision Pro mixed reality headset. This vulnerability, if exploited successfully, could potentially disclose information entered via the device’s virtual keyboard.
The exploit, known as GAZEploit, has been identified with the CVE code CVE-2024-40865.
“A groundbreaking hack has been devised allowing for the extraction of eye-related biometrics from the avatar image to reconstruct text inputted using gaze-controlled typing,” as per a team of researchers from the University of Florida stated.
“GAZExploit operates by exploiting a weakness in gaze-controlled text input, especially when users share a virtual avatar.”
After being informed responsibly, Apple tackled the problem in visionOS 1.3, released on July 29, 2024. They described the bug as affecting a module called Presence.
“Information entered on the virtual keyboard could be deduced via Persona,” as it was stated in a security notice, revealing they fixed it by “pausing Persona when the virtual keyboard is in use.”
Essentially, the researchers discovered the ability to interpret an avatar’s eye movements to discern the keystrokes on the virtual keyboard, thereby jeopardizing user privacy.
Hence, a malicious actor could potentially analyze avatars shared during video calls, online meetings, or live streams and remotely execute keystroke inference, potentially obtaining sensitive data like passwords.
This exploit involves the use of a supervised learning model trained on Persona recordings, eye aspect ratio (EAR), and eye gaze estimation to distinguish typing activities from other VR interactions like watching movies or gaming.
Subsequently, the gaze estimation coordinates on the virtual keyboard are linked to specific keys to uncover potential keystrokes while considering the keyboard’s location in the virtual environment.
“Through remotely capturing and studying the virtual avatar video, an attacker has the ability to deduce the typed characters,” the researchers mentioned, highlighting that the GAZExploit attack marks the first known instance exploiting leaked gaze data for remote keystroke deduction.
About Author
