New Attack Method GAZEploit Targeting Apple VisionPro Discovered

TapTechNews September 12th, recently security researchers have discovered a new type of attack method against Apple VisionPro, named GAZEploit. This method cracks the password by observing the eye movement of the user's virtual avatar Persona during video calls.

Researchers have released a demonstration video showing how to accurately detect the virtual keyboard keys that VisionPro users are looking at when entering the password by tracking the eye movement of Persona.

According to TapTechNews, when VisionPro is used as an independent device, it will display a large-sized virtual keyboard and use eye-tracking to detect the key that the user is looking at during input. However, If the user is in a video call, the eyes of their Persona will accurately reflect the direction of their own eyes, and attackers can infer the key the user is looking at by monitoring the eye movement of the avatar.

They have even developed a neural network that can determine whether the user is typing. During the typing process, the direction of eye gaze is often more concentrated and shows a periodic pattern. In addition, the blinking frequency will also decrease during typing.

The research team analyzed the eye movement of 30 VisionPro users, and achieved a very high accuracy rate of up to 85.9%. In addition to stealing passwords, GAZEploit can also spy on the messages and website addresses entered by VisionPro users through video calls.