Apple recently released an update for visionOS, the operating system powering its Vision Pro mixed reality headset, to address a serious vulnerability that could have allowed malicious actors to exploit the device’s augmented reality (AR) capabilities.
The vulnerability, identified as CVE-2024-27812, was discovered by security researcher Ryan Pickren and reported to Apple in February. The company patched the flaw in a subsequent update released in June.
What Was the Vulnerability?
The vulnerability was found in the way visionOS Safari, the browser used on the Vision Pro, handled specially crafted web content. This allowed malicious websites to bypass security restrictions and forcefully fill a user’s virtual space with arbitrary 3D objects.
The implications were alarming. Pickren demonstrated that it was possible to fill a user’s room with hundreds of animated spiders or bats, a scenario that could cause significant distress.
How Did the Hack Work?
The vulnerability exploited an oversight in Apple’s implementation of ARKit Quick Look on the Vision Pro. This feature allows users to view 3D objects in their environment through a web browser. However, unlike other AR experiences on the device, Quick Look did not require explicit user permission to display 3D objects.
A malicious website could use this to automatically spawn 3D objects in a user’s virtual space without their knowledge or consent. The objects would persist even after the user closed the browser, creating a potentially disruptive and unsettling experience.
Apple’s Response
Apple has since addressed the vulnerability in visionOS version 1.2. The company’s official documentation acknowledges the flaw, noting that it could have allowed a malicious application to bypass privacy preferences.
The company has urged Vision Pro users to update their devices to the latest version to ensure they are protected.
Implications for AR and VR Security
The Vision Pro vulnerability highlights the unique security challenges posed by augmented and virtual reality technologies. As these technologies become more sophisticated and immersive, ensuring the safety and security of users becomes increasingly important.
This incident underscores the need for robust security measures and continuous vigilance in the development of AR and VR applications. It also serves as a reminder for users to be cautious when interacting with web content on these devices.
