Cyber security news for all

More

    Vulnerability in Apple Vision Pro Unveils Virtual Keyboard Inputs to Malicious Actors

    Recent revelations have surfaced regarding a now-rectified security flaw affecting Apple’s Vision Pro mixed reality headset. If exploited, the flaw could allow cyber attackers to deduce information entered on the device’s virtual keyboard.

    The exploit, aptly termed GAZEploit, has been tagged with the CVE identifier CVE-2024-40865.

    “A pioneering attack capable of inferring eye-related biometrics from an avatar’s visual depiction, enabling the reconstruction of text entered through gaze-directed typing,” articulated a consortium of scholars from the University of Florida.

    The GAZEploit tactic capitalizes on the inherent vulnerabilities present when users engage in gaze-guided text input while utilizing a shared virtual avatar.

    Upon receiving responsible disclosure, Apple addressed this security lapse in visionOS 1.3, released on July 29, 2024. The company classified the flaw as originating from a component labeled Presence.

    “Virtual keyboard inputs could be deduced via Persona,” Apple noted in a security advisory, adding that the issue was mitigated by “suspending Persona while the virtual keyboard remains active.”

    In essence, the academic team discovered that the eye movements (or “gaze”) of a virtual avatar could be meticulously analyzed, enabling an adversary to discern the text being typed by the user, potentially breaching their confidentiality.

    Hypothetically, an assailant could leverage this technique by studying shared virtual avatars on video conferencing platforms, online meetings, or live-streaming services, allowing them to remotely infer keystrokes. This technique could be weaponized to extract sensitive data, such as credentials.

    The attack is achieved through a supervised learning model, which is trained using Persona recordings, the eye aspect ratio (EAR), and gaze estimation metrics to distinguish between typing behaviors and other virtual reality activities, such as movie-watching or gameplay.

    Subsequently, the gaze directions are mapped onto specific keys on the virtual keyboard, with the model considering the spatial location of the keyboard in the virtual environment to ascertain probable keystrokes.

    “By remotely capturing and analyzing the virtual avatar’s video feed, a cybercriminal could reconstruct the input keys,” the researchers explained. “GAZEploit stands as the first documented attack in this realm, exploiting leaked gaze information to remotely deduce keystrokes.”

    Recent Articles

    Related Stories