A significant security flaw has been identified in Apple’s cutting-edge Vision Pro mixed reality headset, putting user privacy at risk. A group of researchers uncovered that they could reconstruct users’ passwords, PINs, and even messages by analyzing their eye movements. This flaw, dubbed ‘GAZEploit’, seriously threatens the security of the Vision Pro’s eye-tracking technology.
How GAZEploit Works?
The GAZEploit attack centers around the eye-tracking feature in the Apple Vision Pro. This advanced feature allows users to control virtual keyboards and interact with applications using only their eyes.
While this technology offers a hands-free experience, it also opens the door to potential misuse.
According to researchers, they were able to monitor users’ eye movements through their avatars and deduce the letters and numbers they were typing on virtual keyboards with surprising accuracy.
Even without hacking directly into the Vision Pro headset, researchers could observe the avatars of users who were typing on virtual keyboards during video calls.
This data allowed them to guess passwords and messages based solely on eye movement patterns. The potential targets included everyday applications like Slack, Teams, and Twitter, where users type passwords, messages, and PINs.
Alarming Accuracy
The success rate of the GAZEploit attack is cause for concern. Researchers reported that they could accurately guess the text users typed on virtual keyboards with more than 90% accuracy in messages, 77% accuracy for passwords, and 73% for PINs. This means hackers wouldn’t need too many attempts to guess critical login details.
This vulnerability exposes just how much biometric data — such as eye-tracking information — could be exploited for surveillance and malicious attacks.
The researchers emphasize that eye-tracking data, especially in mixed-reality environments, could give away sensitive information like login credentials without users even realizing it.
Apple Responds with a Patch
After the vulnerability was discovered in April, Apple quickly moved to address the issue. In July, they rolled out a patch that prevents the user’s avatar from being displayed when they use the virtual keyboard.
This update effectively shuts down the GAZEploit vulnerability by limiting the exposure of eye-tracking data during key moments, such as typing passwords or messages.
Apple’s response highlights its commitment to safeguarding users’ data and ensuring the privacy of their devices.
However, this discovery serves as a reminder of the risks associated with wearable technology, especially devices that capture and store biometric information.
The Bigger Privacy Picture
As technology continues to evolve, the introduction of wearable devices like the Apple Vision Pro brings new privacy concerns.
Devices equipped with eye-tracking, heart-rate monitoring, and location tracking have the potential to gather vast amounts of personal data. While these devices offer enhanced user experiences, they also create avenues for exploitation.
Given the growing popularity of wearable tech, the GAZEploit vulnerability is the first of its kind but likely not the last. It shows how even advanced biometric technologies can inadvertently expose sensitive information.
Researchers urge developers and companies to build more robust privacy protections into these devices to ensure that such vulnerabilities do not occur in the future.