Apple Fixes Vision Pro Security Flaw That Could Expose What You Typed

[bgillander]

You do know that some people are using their Vision Pro outside of their home, right? And as more people buy the Vision Pro over time, you'll see more people using them away from home.

https://twitter.com/x/status/1753839916948009316

View attachment 2416578 View attachment 2416579

I thought this was related to the avatar used in FaceTime, not EyeSight. Do you think there is enough detail in EyeSight to actually determine what the user is even doing, let alone their keystrokes? Gosh, that woman on the flight appears to have no eyes, let alone ones focused on a virtual keyboard!

 

[cwolf]

Exactly this. This means they’re already in your house so you have bigger problems.

No. It does not mean they are in your house. The exploit wasn't reading the eye motions of the outward facing screen on the headset. The exploit was reading the eye motions of the avatar that VisionOS creates for you when you are communicating virtually with other people. So if you were video conferencing with someone using your avatar the people on the other end of the call could figure out what you were typing.

 

[axantas]

There are people still using Apple Vision Pro?

It is very interesting how all threads about the Vision Pro get spoiled by useless, off topic and negative messages of people, who do not want to use it. If I do not like something, I just move on and ignore it…

Interesting find, that flaw, btw. But that virtual typing in public is just like typing on your laptop in public, which is even more vulnerable.

 

[svish]

Glad to hear that the vulnerability has now been fixed.

 

[macjaffa]

Five passwords were
12345
56789
98756
Password123
Password.

Hey that’s my luggage combination!

 

[NightFox]

This is the most ridiculous sight … truly

Ridiculous = unfamiliar.

People said the same about AirPods when they launched; go back to the 1970s and people thought people wearing headphones in public looked ridiculous. Go back even further and how do you think the first cyclists looked, or even people using umbrellas or wearing glasses?

 

[Dawn of Individual Merit]

Ridiculous = unfamiliar.

People said the same about AirPods when they launched; go back to the 1970s and people thought people wearing headphones in public looked ridiculous. Go back even further and how do you think the first cyclists looked, or even people using umbrellas or wearing glasses?

That's true, but don't forget that public opinion only changed because there were compelling use cases for those inventions to be used by a large enough audience.

Wearing headphones would have looked unusual at first, but when enough people see the advantages of them, they become commonplace over time.

The AVP will not get to that point, so it will stay looking ridiculous until Apple discontinues it.

 

[ButtMcManus]

The 300 affected users are happy they won’t be hacked by eye trackers in a Zoom meeting you are totally gonna wanna have with this thing. This is the only Apple product I have ever regretted buying. And a security flaw that can only be really exploited by an eye tracker that is in the remote possibility of being in a Zoom call with the ridiculously and insanely low installed base of this product begs the question of who the hell is using the software keyboard on this thing? Within 5 minutes I connected my Bluetooth keyboard, or used the voice to text function. It is an unintuitive keyboard and makes typing feel lumbering and slow.

It can track my eyes right? Or my hands? Hmmmmmmm, swipe to type is on the iPhone and they can’t get a $3500 product to do what Locked In Syndrome patients with Macintoshes have been doing for 3 decades Almost?

 

[ButtMcManus]

That's true, but don't forget that public opinion only changed because there were compelling use cases for those inventions to be used by a large enough audience.

Wearing headphones would have looked unusual at first, but when enough people see the advantages of them, they become commonplace over time.

The AVP will not get to that point, so it will stay looking ridiculous until Apple discontinues it.

Uh, you’re kidding right? Wearing headphones was considered rude when other people were near you. That stigma disappeared when everyone realized they could listen to music privately.

You wear a VR headset and you still look like a huge nerd or doofus. I looked at myself in a mirror and totally agree. You look like an idiot wearing one. And then you bump into a door and crack the front and look like a total moron. And wearing this on the subway, you’re moving your hands around and could accidentally touch someone or bump them or be in their space Or in some cases becone the subject of mockery because you think it’s great to wear but everyone else watching you thinks you have cerebral palsy.

 

[Razorpit]

Sorry, I went to the Wired story just to make sure I wasn't reading this wrong.

Getting 1 in 5 guessed passwords right 77% of the time means they had a really low success rate. It means that 23% of the time they couldn't even get the password at all, and they potentially got it wrong 80% of the time in what they consider "successful" guesses. Holy moly, I wish I could get evaluated by their low standards.

We call them "weathermen" here in The States. 😉

 

[Tagbert]

No. It does not mean they are in your house. The exploit wasn't reading the eye motions of the outward facing screen on the headset. The exploit was reading the eye motions of the avatar that VisionOS creates for you when you are communicating virtually with other people. So if you were video conferencing with someone using your avatar the people on the other end of the call could figure out what you were typing.

Which means that it is someone you know well enough to get into a virtual conference call with. That cuts down the exposure surface by quite a lot.

 

[AlexJaye]

Ridiculous = unfamiliar.

People said the same about AirPods when they launched; go back to the 1970s and people thought people wearing headphones in public looked ridiculous. Go back even further and how do you think the first cyclists looked, or even people using umbrellas or wearing glasses?

AirPods and umbrellas don’t cost half a kidney.

This isn’t nearly the same and these people will always look silly.

 

[paradox00]

Sorry, I went to the Wired story just to make sure I wasn't reading this wrong.

Getting 1 in 5 guessed passwords right 77% of the time means they had a really low success rate. It means that 23% of the time they couldn't even get the password at all, and they potentially got it wrong 80% of the time in what they consider "successful" guesses. Holy moly, I wish I could get evaluated by their low standards.

How many times are you going to drive your car if you have a 77% chance of crashing within 5 trips? Still think it's a low number? For passwords, that is an exceptionally high success rate vs brute force (like trillions of times better. Just a 7 character password has 26 trillion possibilities if all special characters and caps are in play). No company could let that vulnerability stand, it's about as serious as they come.

Only saving grace is you have to be on a call with them and enter a password while on that call. Don't do your personal banking while in a meeting is probably good advice in general.

 

[bgillander]

How many times are you going to drive your car if you have a 77% chance of crashing within 5 trips? Still think it's a low number? For passwords, that is an exceptionally high success rate vs brute force (like trillions of times better. Just a 7 character password has 26 trillion possibilities if all special characters and caps are in play). No company could let that vulnerability stand, it's about as serious as they come.

Only saving grace is you have to be on a call with them and enter a password while on that call. Don't do your personal banking while in a meeting is probably good advice in general.

Yeah, I still think it is a low number, considering the scenario required and that most decent security is set to delay or lock out after a few failed attempts. Sure it is a hole that I'm happy Apple fixed, but this exploit involves you having to join a FaceTime call, and then start ignoring the people you are in a call with to log into something else. The lesson being, don't join FaceTime calls with people you don't trust and then ignore them to do important things? I guess there could be a larger risk in those huge group AVP meetings when you have to log into something else and your company never allows you to take your headset off.

This might be a major exploit in a dystopic world where everyone wears their headset for everything and just lives in that metaverse leaving it on to converse with strangers while they do their online banking, but is more of an academic exercise at this point. Great that they are testing exceptional circumstances, though.

 

[JustARumor]

Seems to me the exact same vulnerability exists with any keyboard for those who can’t touch-type. Also for nearly anyone using a virtual keyboard, particularly larger ones like on an iPad but even for smaller ones like on a phone.