Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mastodon.social/users/LukaszOlejnik/statuses/113147260886481878">Lukasz Olejnik (lukaszolejnik@mastodon.social)'s status on Sunday, 12-Jan-2025 17:35:07 JST</a><a href="https://mastodon.social/@LukaszOlejnik" title="lukaszolejnik@mastodon.social"><img src="https://gnusocial.jp/avatar/18834-48-20221107075922.webp" width="48" height="48" alt="Lukasz Olejnik" style="position: absolute; left: 0; top: 0;">Lukasz Olejnik</a></section><article><p>Stealing passwords and PINs entered by Apple Vision Pro users. As you can see, you never know when a lecture on double integrals over surfaces might come in handy. <a href="https://arxiv.org/abs/2409.08122" rel="nofollow">https://arxiv.org/abs/2409.08122</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4358739#notice-8523981">In conversation</a><time datetime="2025-01-12T17:35:07+09:00" title="Sunday, 12-Jan-2025 17:35:07 JST">about 10 months ago</time> <span>from <span><a href="https://mastodon.social/@LukaszOlejnik/113147260886481878" rel="external" title="Sent from mastodon.social via ActivityPub">mastodon.social</a></span></span><a href="https://mastodon.social/@LukaszOlejnik/113147260886481878">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/3896061">Untitled attachment</a></label><br><a href="https://files.mastodon.social/media_attachments/files/113/147/260/675/836/924/original/81e254b9a84e60e8.png" rel="external">https://files.mastodon.social/media_attachments/files/113/147/260/675/836/924/original/81e254b9a84e60e8.png</a></li><li><article><header><div>Domain not in remote thumbnail source whitelist: arxiv.org</div><h5><a href="https://arxiv.org/abs/2409.08122">GAZEploit: Remote Keystroke Inference Attack by Gaze Estimation from Avatar Views in VR/MR Devices</a></h5><div></div></header><div>The advent and growing popularity of Virtual Reality (VR) and Mixed Reality (MR) solutions have revolutionized the way we interact with digital platforms. The cutting-edge gaze-controlled typing methods, now prevalent in high-end models of these devices, e.g., Apple Vision Pro, have not only improved user experience but also mitigated traditional keystroke inference attacks that relied on hand gestures, head movements and acoustic side-channels. However, this advancement has paradoxically given birth to a new, potentially more insidious cyber threat, GAZEploit.
  In this paper, we unveil GAZEploit, a novel eye-tracking based attack specifically designed to exploit these eye-tracking information by leveraging the common use of virtual appearances in VR applications. This widespread usage significantly enhances the practicality and feasibility of our attack compared to existing methods. GAZEploit takes advantage of this vulnerability to remotely extract gaze estimations and steal sensitive keystroke information across various typing scenarios-including messages, passwords, URLs, emails, and passcodes. Our research, involving 30 participants, achieved over 80% accuracy in keystroke inference. Alarmingly, our study also identified over 15 top-rated apps in the Apple Store as vulnerable to the GAZEploit attack, emphasizing the urgent need for bolstered security measures for this state-of-the-art VR/MR text entry method.</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Lukasz Olejnik (lukaszolejnik@mastodon.social)'s status on Sunday, 12-Jan-2025 17:35:07 JST Lukasz Olejnik
Stealing passwords and PINs entered by Apple Vision Pro users. As you can see, you never know when a lecture on double integrals over surfaces might come in handy. https://arxiv.org/abs/2409.08122
In conversationabout 10 months ago from mastodon.socialpermalink
Attachments
1. Untitled attachment
  https://files.mastodon.social/media_attachments/files/113/147/260/675/836/924/original/81e254b9a84e60e8.png
2. Domain not in remote thumbnail source whitelist: arxiv.org
  GAZEploit: Remote Keystroke Inference Attack by Gaze Estimation from Avatar Views in VR/MR Devices
  The advent and growing popularity of Virtual Reality (VR) and Mixed Reality (MR) solutions have revolutionized the way we interact with digital platforms. The cutting-edge gaze-controlled typing methods, now prevalent in high-end models of these devices, e.g., Apple Vision Pro, have not only improved user experience but also mitigated traditional keystroke inference attacks that relied on hand gestures, head movements and acoustic side-channels. However, this advancement has paradoxically given birth to a new, potentially more insidious cyber threat, GAZEploit. In this paper, we unveil GAZEploit, a novel eye-tracking based attack specifically designed to exploit these eye-tracking information by leveraging the common use of virtual appearances in VR applications. This widespread usage significantly enhances the practicality and feasibility of our attack compared to existing methods. GAZEploit takes advantage of this vulnerability to remotely extract gaze estimations and steal sensitive keystroke information across various typing scenarios-including messages, passwords, URLs, emails, and passcodes. Our research, involving 30 participants, achieved over 80% accuracy in keystroke inference. Alarmingly, our study also identified over 15 top-rated apps in the Apple Store as vulnerable to the GAZEploit attack, emphasizing the urgent need for bolstered security measures for this state-of-the-art VR/MR text entry method.

Public

Embed Notice

HTML Code

Corresponding Notice