A new cybersecurity threat, GAZEploit, has emerged targeting Apple Vision Pro’s eye-tracking technology. The vulnerability allows hackers to infer what a user is typing in virtual reality (VR) environments by tracking their eye movements.
Researchers from the University of Florida, CertiK Skyfall Team, and Texas Tech University developed GAZEploit, which exploits the way users interact with virtual keyboards by focusing on eye aspect ratios and gaze estimation to determine which keys are selected. Using machine learning algorithms, GAZEploit accurately predicts keystrokes with a success rate of nearly 86 percent for individual keys and 98 percent accuracy in detecting typing sessions.
The attack works by analyzing video footage of a user’s virtual avatar, making it a remote and stealthy method of stealing sensitive information like passwords during video calls or virtual meetings. This could present privacy risks for users of VR and mixed reality (MR) devices, as their eye movements can be analyzed to guess passwords or other sensitive data.
Although an 86 percent accuracy rate per individual keystroke might seem low for password-guessing, it significantly compromises password security. This level of accuracy allows attackers to correctly predict most characters in a password, drastically reducing the number of possible combinations they need to attempt. For instance, with an 8-character password, there’s approximately a 23 percent chance (0.86⁸) of predicting the entire password correctly. Even partial knowledge of the password narrows down the search space, making brute-force attacks much more feasible.
Attackers can also exploit common password patterns, contextual clues, and any available personal information to increase their success rate. Advanced algorithms can prioritize likely password combinations based on the predicted keystrokes, further enhancing the effectiveness of the attack. Therefore, an 86% keystroke prediction accuracy poses a serious security threat, highlighting the need for robust measures like multi-factor authentication, complex passwords, and avoiding the use of eye-tracking methods for sensitive input in virtual environments.
To protect against GAZEploit, experts recommend avoiding entering sensitive information using eye-tracking technologies and instead opting for physical keyboards or other secure input methods. Users should also ensure that their software is up to date with the latest security patches and adjust privacy settings to limit or disable eye-tracking when not in use.
Sources: AppleInsider, PC-Tablet
–
September 13, 2024 – by the FindBiometrics Editorial Team
Related News
Harvard Students Connect Meta Ray-Bans to PimEyes Face Search, Provoking Privacy Concerns
IDEX Promotes CCO Eklof to Chief Executive
Hacked Europol Data Pitched on Dark Web
EU Members Agree On AI – Identity News Digest
FacePhi Pivots to ‘e-Football Technology’ With Venue Access Project
Netherlands’ Defense Ministry Surveys Market for Border Control Tech
Follow Us