When you interact with others in virtual reality, Apple’s Vision Pro can show a virtual version of you to the world. Unfortunately, this feature, called Persona, can be used by hackers to steal sensitive information from Vision Pro users.
The security flaw was discovered by a team of six computer scientists from the University of Florida’s Department of Computer Science and was first reported by Wired magazine.
The GAZEploit attack, as the researchers called it, works by tracking a user’s character’s eye movements to identify when they are typing on Vision Pro’s virtual keyboard. The researchers found that users tend to focus on the specific keys they are about to click and were able to build algorithms to identify what users were typing. The results were quite accurate; for example, the researchers were able to identify the correct letters of users’ passwords 77 percent of the time. When it comes to detecting what people type in messages, the results are 92% accurate.
Mix and match speed of light
Researchers disclosed the vulnerability to Apple as early as April, and Apple fixed the vulnerability in visionOS 1.3 released in July. Apple said in the release notes that the flaw allows virtual keyboard input to be inferred from a Persona.
“This issue has been resolved by pausing Persona while the virtual keyboard is active,” Apple wrote in the release notes. Vision Pro users who have not yet updated to the latest version are advised to update as soon as possible.
While simply disabling Persona while the user is typing is a very simple fix, the flaw does raise the question of how much information a malicious hacker can infer just by looking at your virtual version.
Apple Vision Pro: I saw a Billie Eilish concert in Bora Bora and I didn’t have to spend a penny
Researchers say this attack has not yet targeted people using the character in the real world. But what makes this attack particularly dangerous is that it only requires recording a video of someone’s character while they type, meaning an attacker could still use it on old videos. It seems the only way to mitigate this issue is to delete any public videos where your character can be seen while typing; we’ve reached out to Apple to find out how to protect your data.
theme
Apple Internet Security
