Apple's upcoming mixed-reality device, the Vision Pro, faced a critical vulnerability termed GAZEploit, allowing attackers to capture user inputs via eye-tracking. Vision Pro relies heavily on its advanced gaze-tracking system for user interaction, eliminating the need for physical controllers. The vulnerability came to light after researchers demonstrated how eye movement patterns could be analyzed to reveal passwords and other sensitive information.
Details
The GAZEploit attack works by observing the Vision Pro's gaze-tracking inputs, which are visible to the system and linked to user activity, such as virtual typing or selecting items on the screen. By capturing the exact sequence of eye movements, attackers could piece together characters from a virtual keyboard, mimicking keystroke logging but without physical input. Although the vulnerability required physical access to the device, in some scenarios, remote exploitation might also have been possible via compromised applications running on the device.
Apple has since issued a patch, addressing the specific flaw by obfuscating or encrypting the communication between the eye-tracking module and the rest of the operating system. While the patch mitigates this issue, it raises concerns about the security of future mixed-reality devices that use similar technology. Privacy advocates have raised alarms, pointing to broader risks in eye-tracking technology, which could be used for more subtle surveillance beyond password theft, such as tracking emotional states or preferences based on gaze patterns.
Labels:
News
