New GAZEploit Attack Let Hackers Capture Keystrokes from Apple Vision Pro
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A novel security vulnerability dubbed “GAZEploit” has been discovered that could allow hackers to capture keystrokes from Apple Vision Pro’s virtual keyboards.
The attack exploits the eye-tracking technology used for gaze-based typing on Apple’s mixed-reality headset.
Researchers from the University of Florida, CertiK Skyfall Team, and Texas Tech University developed GAZEploit, which analyzes eye movements of a user’s virtual avatar to infer what is being typed.
The attack works by recording the movements of the avatar’s eyes during FaceTime calls or other scenarios where the avatar is visible.
GAZEploit focuses on two key biometric indicators – the eye aspect ratio (EAR), which measures how wide a person’s eyes are open, and eye gaze estimation, which tracks where they’re looking on the screen.
The researchers trained a machine learning model on data from 30 participants and achieved 98% accuracy in identifying typing sessions. For predicting individual keystrokes, they reported 85.9% accuracy and 96.8% recall.
What makes GAZEploit particularly concerning is that it can be carried out remotely by simply analyzing video footage of the avatar.
This means sensitive information like passwords or private messages could potentially be compromised during everyday activities like virtual meetings or live streaming.
How the attack works
Apple has already taken steps to address the vulnerability, releasing a patch in visionOS 1.3 in July 2024. However, the discovery highlights the unique privacy challenges posed by emerging VR/AR technologies that rely on biometric data.
To protect against similar attacks, experts recommend avoiding entering sensitive information via eye-tracking methods in VR environments when possible. Using physical keyboards or other secure input methods is advised for inputting passwords and personal data.
The GAZEploit research underscores the need for robust privacy safeguards as VR technology becomes more prevalent. As these immersive systems collect increasingly rich behavioral data, striking a balance between user experience and data protection will be crucial for widespread adoption.
While Apple has moved quickly to patch this specific vulnerability, the incident reminds us that novel attack vectors may continue to emerge as VR/AR capabilities expand.
#Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
New GAZEploit Attack Let Hackers Capture Keystrokes from Apple Vision Pro
Author: Guru BaranA novel security vulnerability dubbed “GAZEploit” has been discovered that could allow hackers to capture keystrokes from Apple Vision Pro’s virtual keyboards.
The attack exploits the eye-tracking technology used for gaze-based typing on Apple’s mixed-reality headset.
Researchers from the University of Florida, CertiK Skyfall Team, and Texas Tech University developed GAZEploit, which analyzes eye movements of a user’s virtual avatar to infer what is being typed.
The attack works by recording the movements of the avatar’s eyes during FaceTime calls or other scenarios where the avatar is visible.
GAZEploit focuses on two key biometric indicators – the eye aspect ratio (EAR), which measures how wide a person’s eyes are open, and eye gaze estimation, which tracks where they’re looking on the screen.
The researchers trained a machine learning model on data from 30 participants and achieved 98% accuracy in identifying typing sessions. For predicting individual keystrokes, they reported 85.9% accuracy and 96.8% recall.
What makes GAZEploit particularly concerning is that it can be carried out remotely by simply analyzing video footage of the avatar.
This means sensitive information like passwords or private messages could potentially be compromised during everyday activities like virtual meetings or live streaming.
How the attack worksApple has already taken steps to address the vulnerability, releasing a patch in visionOS 1.3 in July 2024. However, the discovery highlights the unique privacy challenges posed by emerging VR/AR technologies that rely on biometric data.
To protect against similar attacks, experts recommend avoiding entering sensitive information via eye-tracking methods in VR environments when possible. Using physical keyboards or other secure input methods is advised for inputting passwords and personal data.
The GAZEploit research underscores the need for robust privacy safeguards as VR technology becomes more prevalent. As these immersive systems collect increasingly rich behavioral data, striking a balance between user experience and data protection will be crucial for widespread adoption.
While Apple has moved quickly to patch this specific vulnerability, the incident reminds us that novel attack vectors may continue to emerge as VR/AR capabilities expand.
#Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
