GAZEploit: Remote keystroke inference attack by gaze estimation in VR/MR devices

Original Article ↗ Hacker News Discussion ↗

Nature of the Attack

  • Attack infers keystrokes from eye and head movements when typing on the Vision Pro’s virtual keyboard, especially during Persona/FaceTime-style calls where others see a realistic avatar with live eye motion.
  • Some note this is conceptually similar to watching someone’s fingers on a physical keyboard or their eyes over normal video, but the VR setup provides cleaner, more correlated signals.

Mitigation Ideas and Apple’s Fix

  • Many express surprise Apple didn’t initially obfuscate gaze during sensitive input (e.g., passwords).
  • Suggested mitigations:
    • Freeze, blur, darken, or “cloud” the avatar’s eyes while typing.
    • Show closed eyes, sunglasses, or a faint indicator that the face is in a “secure input” mode.
    • Blur the entire screen briefly with a message during password entry.
  • Thread notes Apple has since patched VisionOS so Personas are not shared while using the virtual keyboard.

Debate on Trust, Privacy, and Apple’s Practices

  • Some criticize a recurring pattern: Apple markets privacy, offers opaque security designs, then real vulnerabilities or data issues emerge later.
  • Counterpoints argue that in this specific case Apple did not expose raw eye-tracking data to apps; the leak is via the intentionally gaze-accurate avatar stream.
  • There’s concern that high-fidelity eye tracking could be abused for advertising, health inference, or voyeuristic uses, even if not currently allowed.

Comparison with Other Platforms

  • HoloLens is cited as an example where eye tracking is abstracted: apps get events (“user looked at X”) rather than raw gaze streams.
  • Some see Apple as relatively protective; others call the restrictions paternalistic and limiting for power users.

Practicality and Scope of the Attack

  • Effectiveness depends on users actually using gaze-based typing, being visible in a call, and having a stable avatar view.
  • Touch typists on physical keyboards or users who avoid gaze typing are largely unaffected.
  • Several note the attack is probabilistic and can be degraded by moving the keyboard, different layouts, or not staring precisely at each key.