Like other Apple products, the Vision Pro is sometimes subject to security flaws that allow hackers to access information they shouldn’t see. A recent case was revealed by the media Wired the researchers behind the discovery have used the user’s Persona’s gaze to guess what he was writing.
When eye tracking finds itself at the heart of an unexpected security breach
A security flaw in the Apple Vision Pro was recently discovered and patched. This vulnerability allowed an attack, called GAZEploit, to guess passwords, PINs, and messages. Using eye tracking, researchers have demonstrated that it is possible to exploit this data to obtain confidential information. In the case of the Apple Vision Pro, this eye-tracking attack revealed information with impressive accuracy rates: 77% for passwords, 73% for PINs, and 92% for messages typed via a virtual keyboard.
The GAZEploit attack involved carefully observing the eye movements of a Persona generated by the Apple Vision Pro, without requiring direct access to the spatial computer. Using a machine learning model, the researchers were able to accurately predict keystrokes based on the user’s eye movements.
The vulnerability exploited the position of the eyes and that of the virtual keyboard used by the avatar in common applications like Zoom or FaceTime. Using this method, security researchers could guess what the user was typing.
Alerted to this flaw by researchers in April 2024, Apple quickly reacted. In July 2024, an update to the Vision Pro operating system, visionOS 1.3, was deployed to correct this vulnerability. Now, in the event of video conversations, the Persona no longer displays precise eye tracking, which no longer allows people present in the video conversation to guess what the Vision Pro user is typing.