April 2, 2024 | Cameron Brown
Introduction
On June 5th, 2023, at Apple’s Worldwide Developers Conference (WWDC23), Apple announced their newest venture into the extended reality (XR) world with the Apple Vision Pro. A new virtual reality headset from Apple designed to “[blend] digital content and apps into your physical space.”
Fast forward nearly a year later and Apple’s latest product has hit shelves (released February 2nd, 2024) and is currently taking the world by storm. Despite the Vision Pro not being a relatively new idea (Meta Quest 3, Google Glass, Microsoft HoloLens, etc.) Apple has been turning heads due to the innovations brought to the XR field with this release. Mirroring the innovations made with the iPhone in 2007, Apple has done their magic in drawing new eyes to new platforms of technology. Now, more than ever, people are actively talking about and considering an XR world that is fully integrated with technology.
While this prospect is exciting, it can also be potentially haunting for many. Seeing videos of Vision Pro users walking the streets, in the office or even driving while using the headset has been interesting to say the least. It seems, with each new advancement in technology, our society starts to mirror that of a science fiction movie. And of course, like every good sci-fi movie, today’s society has its handful of hackers. Hackers with the determination and skills to leverage any form of technology to their advantage. With the release of the Apple Vision Pro, these hackers have gained a new and exciting avenue to potentially carry out attacks against innocent users of the device. As if the threat of a dystopian future wasn’t enough huh?
Threats in Pre-Existing VR Solutions
The threat that hackers present to the VR platform is not new. As previously stated, the Apple Vision Pro is not an altogether original idea. Because of this, it’s worth looking into threats and attacks that attackers have presented towards products that have existed prior to the Vision Pro. When taking a look back, it seems that the biggest threat to users in the past has not been the products themselves but rather the applications that users choose to run on these products. Not only can these applications have vulnerabilities themselves, but these vulnerabilities may leverage permissions the application has on the device to further the attack.
For instance, in 2022, a research paper by Peter Casey and Ibrahim Baggili was released which showed a valid attack vector for installing malware on users PCs by leveraging vulnerabilities found in the VR application Bigscreen. This application had several vulnerabilities of which cross-site scripting, remote code execution (RCE) and phishing are some highlights. An attacker could even directly view a user’s screen by exploiting this app. Probably the most amazing portion of this report is the fact that other Bigscreen users could be added to a botnet in which their device is used to spread malware to other users. While the more technical portions of the report are out of scope for this blog post, I highly recommend reviewing this report to better understand the importance of security in any SDLC (including VR development).
A vulnerability in which the actual device was used against users is outlined in a research paper by Peter Casey and Ibrahim Baggili again. This paper outlines three relatively similar yet interesting attacks which the authors refer to as “Chaperone”, “Disorientation” and “Human Joystick” attacks. The Chaperone attack involves modifying a user’s configuration settings related to the boundaries of their virtual playing area. Modifying these values allows an attacker to change a user’s virtual boundaries which are used to track the user’s physical environment to avoid collisions while playing. By changing these values, an attacker may change the size of the user’s playing space or even remove boundaries altogether. This may lead to collisions or injury to the user currently playing. Next, the Disorientation attack is like the Chaperone attack but is instead focused on modifying a user’s rotation and location in play space. By changing a user’s yaw (direction user is facing) and translation (a user’s lateral position) settings, this attack may induce VR sickness within a user. Intentionally and aggressively adjusting a user’s rotation in a VR space can cause a seasick like reaction in users which has been documented since VR’s release. Finally, the Human Joystick attack presented by Casey and Bagilli involves combining both Chaperone and Disorientation attacks to manipulate a user’s physical position. By removing a user’s boundaries (Chaperone attack) and slowly adjusting a user’s rotation/position (Disorientation attack) it becomes possible to manipulate a user into changing their physical position via VR. These three attacks provide an interesting insight into how the actual VR device could be used to attack users. It’s highly recommended that this paper is read since it includes many other attack vectors of interest that are outside the scope of this post.
There are two final research papers that are worth viewing which relate to VR vulnerabilities. These papers are quite complex and far exceed the scope of this paper. The first paper by Yicheng Zhang, Carter Slocum, Jiasi Chen, and Nael Abu-Ghazaleh, covers side-channel attacks on VR/AR systems. This shows a potential attack vector which uses a malicious background application to track a user’s hand motions in VR/AR. These hand motions are then processed by AI to determine what the user had done or typed in VR/AR. The second paper covers research led by Yingying Chen which shows how a VR device’s microphone and motion sensors may be used to determine information about a user. This is done by using a malicious application to collect and analyze information from a user’s VR headset. Once again, both these papers are extraordinary and offer insight into how application permissions may be used to attack a VR/AR user. Moving on, however, it’s time to analyze what this means for the Apple Vision Pro. To do so, we must consider already discovered vulnerabilities in Apple Vision Pro (VisionOS) as well as potential vulnerabilities that may arise in the future.
Current Apple Vision Pro Vulnerabilities and Speculation on the Future
Having only been out for a few weeks at this point, there already exists a Kernel Exploit for the VisionOS which is the operating system in use by the Apple Vision Pro. CVE 2024-23222 was published on January 22nd, 2024, is a kernel exploit that has since been discovered and patched by Apple. This CVE is particularly impressive due to its impact and the speed with which it was found. The exploit was discovered prior to the official release of the Apple Vision Pro by an MIT student named Joseph Ravichandran (see his post on X). The finding in question is stated to arise when “processing maliciously crafted web content” which can then lead to arbitrary code execution.
While the details of this finding have not been made public, it’s of high risk as kernel exploits involve accessing “Ring 0” of an operating system which is the highest privilege level in the system. Typically, these types of exploits can be utilized to jailbreak a device which allows a user root access to a system. Once attackers discover a jailbreak for a system, they gain access to a new and simplified pathway of attacking apps. Typically, this speeds up the process required for attackers to find vulnerabilities in applications.
The other interesting/concerning portion of this CVE is the fact of how it is executed. In its description the CVE states that the vulnerability can cause arbitrary code execution via the processing of malicious crafted web content. In this case, it may be possible to induce a user to visit a website with this content and suffer some form of remote exploitation. It’s equally intriguing that this CVE affects nine other products from Apple (eight of them being operating systems). This may indicate that future VisionOS vulnerabilities are shared with other Apple devices OS and vice versa.
Despite the Vision Pro being in its infancy stages, one can also begin to speculate ways in which an attacker may use the Vision Pro for malice. Two notable features I’d like to briefly speculate about are the Apple Vision Pro’s reliance on cameras as well as the Vision Pro’s new form of authorization, Optic ID.
As seen in the past security research done on VR, it is sometimes possible to directly view a feed of the user’s outward facing cameras or even their screen itself. If an attacker manages to access a user’s camera, there is always the possibility that sensitive information is leaked from this. Also, the Vision Pro does not blur a user’s password when typing as seen in this Twitter post, which would cause issues if an attacker could monitor a user’s screen.
The inclusion of Optic ID in the Apple Vision Pro is another interesting attack vector that should be considered. Currently, biometric authentication forms within iOS applications are occasionally bypassed using Objection. If this same level of bypass is found for Optic ID, it would have a similar impact as with current iOS applications. An attacker with access to a device via passcode would potentially be able to access a user’s banking applications or any other application that uses biometric authentication. Also, an attacker may gain access to data relating to the scan of your iris. While this is not likely to be an issue, it may be one for users who use optical authentication in other portions of their life.
Conclusion
Ultimately, it’s still too early to tell how hackers will leverage the new Apple Vision Pro. Personally, I believe that some of the VR/AR related vulnerabilities discussed in the previous section could easily apply for the Vision Pro. These vulnerabilities rely heavily on applications and the permissions they are allowed by devices. That is why it is extremely important to lock down your applications to avoid being used as an avenue for attack. Security reviews in every part of a SDLC regardless of what is being developed will hopefully prevent this in its entirety. Even if this is done however, attackers are constantly improving and only time will tell what they will manage to do using the XR platform.