Friend
Professional
- Messages
- 2,667
- Reaction score
- 876
- Points
- 113
Apple Vision Pro owners didn't even think they were so easy to hack.
A vulnerability was recently discovered in the Apple Vision Pro mixed reality headset that allows attackers to read data from a virtual keyboard. The attack, dubbed GAZEploit, has been registered as CVE-2024-40865, and its exact CVSS rating has not yet been determined.
The basis for the attack was the ability of a potential attacker to analyze the user's eye movements through a virtual avatar, which is used during interaction with the device. If an ill-wisher gains access to the avatar image, they can determine which characters are typed on the virtual keyboard, which opens access to steal sensitive data.
Apple has already resolved the issue in the visionOS 1.3 update, released on July 29, 2024. The vulnerability was related to a component called Presence, which is responsible for the operation of avatars in the system. According to Apple, the problem was solved by temporarily suspending the avatar when entering data on the virtual keyboard.
The attack was made possible by the use of a trained AI model that analyzed the avatar recordings, as well as the user's eye movements, to identify the moments of data input on the virtual keyboard. Next, the algorithm associated the directions of gaze with certain keys on the keyboard, which made it possible to restore the text.
The researchers emphasized that GAZEploit is the first known attack of its kind to use eye movement information to remotely restore inputs.
This case demonstrates how important security is in new developments and technologies, where even a simple glance can become a tool for cyberattacks. The protection of personal data in virtual reality is becoming a critical task, and the GAZEploit incident highlights the need to quickly eliminate such threats so that users can feel protected in the digital spaces of the future.
Source
A vulnerability was recently discovered in the Apple Vision Pro mixed reality headset that allows attackers to read data from a virtual keyboard. The attack, dubbed GAZEploit, has been registered as CVE-2024-40865, and its exact CVSS rating has not yet been determined.
The basis for the attack was the ability of a potential attacker to analyze the user's eye movements through a virtual avatar, which is used during interaction with the device. If an ill-wisher gains access to the avatar image, they can determine which characters are typed on the virtual keyboard, which opens access to steal sensitive data.
Apple has already resolved the issue in the visionOS 1.3 update, released on July 29, 2024. The vulnerability was related to a component called Presence, which is responsible for the operation of avatars in the system. According to Apple, the problem was solved by temporarily suspending the avatar when entering data on the virtual keyboard.
The attack was made possible by the use of a trained AI model that analyzed the avatar recordings, as well as the user's eye movements, to identify the moments of data input on the virtual keyboard. Next, the algorithm associated the directions of gaze with certain keys on the keyboard, which made it possible to restore the text.
The researchers emphasized that GAZEploit is the first known attack of its kind to use eye movement information to remotely restore inputs.
This case demonstrates how important security is in new developments and technologies, where even a simple glance can become a tool for cyberattacks. The protection of personal data in virtual reality is becoming a critical task, and the GAZEploit incident highlights the need to quickly eliminate such threats so that users can feel protected in the digital spaces of the future.
Source
