GAZEploit: Remote Keystroke Inference Attack by Gaze Estimation from Avatar Views in VR/MR Devices
Hanqiu Wang, Zihao Zhan, Haoqi Shan, Siqi Dai, Max Panoff, Shuo, Wang
TL;DR
GAZEploit is a novel remote attack exploiting eye-tracking data in VR/MR devices to infer keystrokes, revealing significant security vulnerabilities in current gaze-controlled typing methods.
Contribution
This paper introduces GAZEploit, the first attack leveraging avatar view-based gaze estimation to steal keystrokes remotely in VR/MR environments.
Findings
Achieved over 80% keystroke inference accuracy.
Identified 15+ vulnerable apps in the Apple Store.
Demonstrated practicality of the attack across various scenarios.
Abstract
The advent and growing popularity of Virtual Reality (VR) and Mixed Reality (MR) solutions have revolutionized the way we interact with digital platforms. The cutting-edge gaze-controlled typing methods, now prevalent in high-end models of these devices, e.g., Apple Vision Pro, have not only improved user experience but also mitigated traditional keystroke inference attacks that relied on hand gestures, head movements and acoustic side-channels. However, this advancement has paradoxically given birth to a new, potentially more insidious cyber threat, GAZEploit. In this paper, we unveil GAZEploit, a novel eye-tracking based attack specifically designed to exploit these eye-tracking information by leveraging the common use of virtual appearances in VR applications. This widespread usage significantly enhances the practicality and feasibility of our attack compared to existing methods.…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsHand Gesture Recognition Systems · Gaze Tracking and Assistive Technology · EEG and Brain-Computer Interfaces