Researchers have identified a security flaw in Apple's Vision Pro mixed reality device that allows them to reconstruct users' passwords, PINs and messages.
The researchers called it “GAZEploit” and used eye-tracking data to decode what users typed using their eyes on the virtual keyboard.
Because avatars are visible to other users, researchers didn't have to hack anything or access the user's headset — they just had to study their avatar's eye movements. Avatars can use the virtual keyboard to log into Slack, Teams, Twitter, and more.
All patched up
The researchers were able to predict the keyboard location with impressive accuracy, being able to deduce the correct typed letters in up to five attempts with over 90% accuracy for texts, 77% of the time for passwords, and 73% of the time for PINs.
The vulnerability was discovered in April and Apple released a patch to fix the issue in July. The avatar will no longer be displayed when using the virtual keyboard. It is said to be the first of its kind and exposes how biometric data can be used to monitor users, the researchers confirmed.
“These technologies… can inadvertently expose critical facial biometric data, including eye-tracking data, through video calls where the user’s virtual avatar mirrors their eye movements.”
Wearable technology has ushered in a New set of privacy concerns For users, with more information being captured and stored in people's daily lives. Health data, locations, biometric information, everything could be used against users if it fell into the wrong hands.
Through With cable
