Researchers have uncovered a big security flaw in Apple Vision Pro. The vulnerability, called GAZEploit, lets hackers decipher users’ Vision Pro password and other passwors, PINs, and messages by analyzing their eye movements during virtual keyboard use.
The attack then exploits the eye-tracking data exposed through the Vision Pro’s Persona, which creates a 3D avatar for video calls and streaming. By observing the avatar’s eye movements, researchers could reconstruct typed information with alarming accuracy – 77% for passwords and 92% for messages within five guesses.
GAZEploit uses machine learning to identify typing sessions based on eye movement patterns, then maps gaze directions to virtual keyboard keys. The biggest point of concern is that this method doesn’t require direct access to the device, hence makes it a realistic threat for anyone using their Persona during video calls or livestreams.
Apple has since patched the vulnerability in visionOS 1.3, released in July 2024. The fix disables the Persona feature when the virtual keyboard is active. If you haven’t already , you are strongly advised to update your Vision Pro to the latest version. Here’s how to install it.
It’s good that the issue has been fixed but there’s always something new around the corner.
More here.