As Apple continues to innovate with cutting-edge technologies, new vulnerabilities are emerging in parallel. The Apple Vision Pro, equipped with eye-tracking features, promises a new level of immersive interaction, especially during FaceTime calls or when typing on virtual keyboards. However, the same eye-tracking technology that enhances user experience has now become a target for hackers.
Researchers from the University of Florida, CertiK Skyfall Team, and Texas Tech University recently developed a tool called GAZEploit, which can exploit this eye-tracking capability to steal passwords and other sensitive data. Here's how this attack works, its risks, and what you can do to protect yourself.
How GAZEploit Exploits Eye-Tracking in Apple Vision Pro
With Apple Vision Pro, users can type by simply looking at the keys on a virtual keyboard, using eye movements instead of physically pressing buttons. The device tracks these eye movements to identify which characters the user is selecting.
GAZEploit leverages this eye-tracking system to steal typed information by analyzing eye movement data during typing. Hackers can record the eye movements of a user’s virtual avatar during a VR session and decode this data to predict what is being typed, such as passwords or private messages.
The attack works by focusing on two key factors:
Eye Aspect Ratio (EAR): This measures how wide a user’s eyes are open. Eye Gaze Estimation: This tracks where the eyes are focused on the screen.By studying these factors, hackers can detect when someone is typing in a VR environment. GAZEploit utilizes a machine learning tool, the Recurrent Neural Network (RNN), trained to recognize typing behavior with high accuracy—98% of the time, it successfully identifies typing sessions.
How GAZEploit Decodes Keystrokes
Once the attack identifies a typing session, it analyzes rapid eye movements (called saccades) and the moments when the eyes settle on a virtual key (fixations). By mapping these movements to the layout of the virtual keyboard, GAZEploit is able to predict which keys are being typed.
In testing, the researchers reported that GAZEploit achieved 85.9% accuracy in predicting individual keystrokes. Furthermore, it achieved a near-perfect 96.8% recall rate when recognizing typing activity in general.
The most concerning aspect of this attack is that it can be performed remotely. Attackers don’t need direct access to the Apple Vision Pro device. Instead, they only require video footage of the user’s avatar, recorded during activities like virtual meetings, live streaming, or video calls. With this footage, hackers can analyze eye movements and infer what’s being typed—without the user being aware.
Protecting Yourself from GAZEploit
While Apple’s Vision Pro offers futuristic features, this vulnerability highlights the need for cautious use of emerging technologies. Here are a few steps to protect yourself against potential attacks like GAZEploit:
Avoid Typing Sensitive Information in VR: To minimize the risk of data theft, avoid typing sensitive information, such as passwords or personal details, using eye-tracking methods in VR environments. Use a physical keyboard or a more secure input method whenever possible.
Disable Eye-Tracking When Not Needed: If eye-tracking is not essential for your VR activities, consider turning off or limiting this feature. Adjust the privacy settings on your Apple Vision Pro or any other VR/MR (mixed reality) devices to reduce exposure to eye-tracking vulnerabilities.
Keep Software Updated: Apple regularly releases security patches to fix vulnerabilities in its devices. Ensure that your Vision Pro is always up-to-date with the latest software updates to protect against any newly discovered exploits like GAZEploit.
Be Cautious During Virtual Meetings: Since GAZEploit can be executed by analyzing video footage of your avatar, be cautious about what you do during video calls, live streams, or public VR activities. Avoid typing sensitive information while being recorded or in virtual public spaces.
The Future of Eye-Tracking and Security
GAZEploit showcases how even the most innovative technologies can be vulnerable to exploitation. Eye-tracking in VR and MR devices, while offering new ways to interact, introduces unique risks that need to be managed carefully. As technology advances, so will the tools and techniques used by hackers.
For now, taking proactive measures and staying aware of security developments are your best defenses. As Apple and other tech giants work to improve their security protocols, users must remain vigilant to protect their personal data in these new digital environments.