A group of researchers have identified a security flaw in Apple’s Vision Pro mixed reality headset which let them reconstruct user’s passwords, PINs and messages.
Dubbed ‘GAZEploit’, the researchers used eye-tracking data to allow them to decode what users typed using their eyes with the virtual keyboard.
Since the avatars are visible to other users, the researchers did not have to hack into anything, or to gain access to the user’s headset, they just had to study the eye movements of their avatar. The avatars can use the virtual keyboard to log into Slack, Teams, Twitter, and more.
All patched up
The researchers were able to predict keyboard placement with impressive accuracy, able to deduce the correct letters typed within a maximum of five guesses with over 90% accuracy in messages, 77% of the time for passwords, and 73% of the time for PINs.
The vulnerability was discovered in April, and Apple issued a patch to fix the issue in July, and the avatar will no longer be displayed when the virtual keyboard is being used. It is said to be the first of its kind, and exposes how biometric data can be used to surveil users, the researchers confirmed,
“These technologies … can inadvertently expose critical facial biometrics, including eye-tracking data, through video calls where the user’s virtual avatar mirrors their eye movements,”
Wearable technology has ushered in a new set of privacy concerns for users, with more information captured and stored in people’s day to day lives. Health data, locations, biometric information, could all be used against users if it fell into the wrong hands.
Via Wired
