The Apple Vision Pro has a worrying security flaw that could allow hackers to easily guess passwords based on eye movements
A group of researchers has discovered a security vulnerability in Apple’s Vision Pro mixed reality headset that allowed them to reconstruct users’ passwords, PINs, and messages.
The researchers used eye movement data to find out what users were typing with their eyes on the virtual keyboard. The technique was dubbed ‘GAZEploit’.
Because the avatars are visible to other users, the researchers didn’t have to hack into anything or gain access to the user’s headset. They only had to study their avatar’s eye movements. The avatars can use the virtual keyboard to log in to Slack, Teams, Twitter and more.
Everything is repaired
The researchers were able to predict keyboard placement with impressive accuracy. They were able to deduce the correct letters with over 90% accuracy in messages after up to five attempts, 77% of the time in passwords, and 73% of the time in PIN codes.
The vulnerability was discovered in April and Apple released a patch to fix it in July. The avatar is no longer displayed when the virtual keyboard is used. It is said to be the first of its kind and reveals how biometric data can be used to spy on users, the researchers confirmed.
“These technologies… can inadvertently expose critical facial biometrics, including eye movement data, through video calls where the user’s virtual avatar mirrors their eye movements,”
Wearable technology has a new wave of privacy concerns for users, with more information captured and stored in people’s daily lives. Health data, locations, biometric information, all can be used against users if they fall into the wrong hands.
Via Wired