BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Spatial Computing Hack Exploits Apple Vision Pro Flaw to Fill Room With Spiders, Bats

A recently patched Vision Pro vulnerability was classified by Apple as a DoS issue, but a researcher has shown that it’s ‘scary’.

Apple VIsion Pro vulnerability

A recently patched Vision Pro vulnerability has been classified by Apple as a denial-of-service (DoS) issue, but the researcher who found it has demonstrated that it’s actually a “scary” bug.

Apple recently announced the release of version 1.2 of visionOS, the operating system powering its Vision Pro virtual reality headset. 

The update addresses several vulnerabilities, but one stands out because it seems to be the first flaw — or at least among the first — that is specific to this product, and it may also be what the reporting researcher has described as the “first ever spatial computing hack”.

Tracked as CVE-2024-27812, the vulnerability is related to the processing of specially crafted web content and, according to Apple, it can lead to a DoS condition. 

However, in a blog post published on Friday, Ryan Pickren, the researcher who discovered the vulnerability and reported it to Apple, showed that the impact is much more significant. 

The Vision Pro is designed to prevent unauthorized applications from running and entering the user’s personal space.

“By default, native apps are restricted to a ‘Shared Space’ context, where they act predictably and can be easily closed,” the researcher explained. “If an app wants a more immersive experience, they must receive explicit permission from the user via an OS-level prompt that places them in a trusted ‘Full Space’ context.”

In addition, websites visited by the user in Safari via the Vision Pro headset can only spawn 3D objects in the room if they are manually granted permission by the user. 

Advertisement. Scroll to continue reading.

However, Pickren found that Apple omitted applying the same level of protection to ARKit Quick Look, a feature for iOS that the tech giant developed several years ago. He found that the feature is still present in WebKit and it does not require any permissions in Safari. 

The researcher showed how this feature could be abused by an attacker to spawn any type of 3D object, including animated and sound-creating objects, just by getting the targeted user to visit a malicious website.

Pickren demonstrated his findings by generating a scary scenario, where hundreds of moving spiders and screeching bats are spawned in the room.

“To make things even freakier — since these animated files are being handled by a separate application (Quick Look) — closing Safari does not get rid of them,” the researcher said. “And because visionOS does not have a Dock or any other Open Apps UI, there is no obvious way to get rid of them besides manually running around the room to physically tap each one.”

The researcher is surprised that Apple has classified the issue as a DoS bug instead of assessing it based on its full impact. He said Apple paid out a bug bounty for his findings, but the exact amount has not been disclosed. 

Pickren previously earned significant bug bounties from Apple, and was recently part of a team that developed malware designed to target modern industrial control systems (ICS).

Related: Apple Releases First-Ever Security Updates for Beats, AirPods Headphones

Related: Apple Patches Vision Pro Vulnerability as CISA Warns of iOS Flaw Exploitation

Related: Apple Patches Keystroke Injection Vulnerability in Magic Keyboard

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights