Details have emerged about a now-patched security flaw impacting Apple’s Vision Pro mixed reality headset that could compromise user privacy.
The attack, known as GAZEploit (CVE-2024-40865), allows malicious actors to infer data entered on the device’s virtual keyboard using gaze-controlled text entry.
A group of academics from the University of Florida described the attack as “a novel attack that can infer eye-related biometrics from the avatar image to reconstruct text entered via gaze-controlled typing.”
Apple addressed the vulnerability in visionOS 1.3, suspending the affected component called Presence when the virtual keyboard is active.
The researchers found that eye movements of a virtual avatar could be analyzed to determine keystrokes, compromising user privacy.
The GAZEploit attack utilizes supervised learning models to remotely perform keystroke inference based on gaze information from the virtual avatar.
By analyzing virtual avatar videos, threat actors could extract sensitive information such as passwords through keystroke inference.
The attack is the first of its kind in exploiting leaked gaze information to compromise user privacy.