Apple patches a serious security flaw in Vision Pro that could have allowed hackers to fill a user's virtual space with unwanted 3D objects. The incident highlights the unique security challenges of AR and VR technologies.

Apple recently released an update for visionOS, the operating system powering its Vision Pro mixed reality headset, to address a serious vulnerability that could have allowed malicious actors to exploit the device’s augmented reality (AR) capabilities.

The vulnerability, identified as CVE-2024-27812, was discovered by security researcher Ryan Pickren and reported to Apple in February. The company patched the flaw in a subsequent update released in June.

What Was the Vulnerability?

The vulnerability was found in the way visionOS Safari, the browser used on the Vision Pro, handled specially crafted web content. This allowed malicious websites to bypass security restrictions and forcefully fill a user’s virtual space with arbitrary 3D objects.

The implications were alarming. Pickren demonstrated that it was possible to fill a user’s room with hundreds of animated spiders or bats, a scenario that could cause significant distress.

How Did the Hack Work?

The vulnerability exploited an oversight in Apple’s implementation of ARKit Quick Look on the Vision Pro. This feature allows users to view 3D objects in their environment through a web browser. However, unlike other AR experiences on the device, Quick Look did not require explicit user permission to display 3D objects.

A malicious website could use this to automatically spawn 3D objects in a user’s virtual space without their knowledge or consent. The objects would persist even after the user closed the browser, creating a potentially disruptive and unsettling experience.

Apple’s Response

Apple has since addressed the vulnerability in visionOS version 1.2. The company’s official documentation acknowledges the flaw, noting that it could have allowed a malicious application to bypass privacy preferences.

The company has urged Vision Pro users to update their devices to the latest version to ensure they are protected.

Implications for AR and VR Security

The Vision Pro vulnerability highlights the unique security challenges posed by augmented and virtual reality technologies. As these technologies become more sophisticated and immersive, ensuring the safety and security of users becomes increasingly important.

This incident underscores the need for robust security measures and continuous vigilance in the development of AR and VR applications. It also serves as a reminder for users to be cautious when interacting with web content on these devices.

TagsApple Vision Pro

About the author

View All Posts

Alice Jane

Alice is the Senior Writer at PC-Tablet.com, with over 7 years of experience in tech journalism. She holds a Bachelor's degree in Computer Science from UC Berkeley. Alice specializes in reviewing gadgets and applications, offering practical insights to help users get the best value. Her expertise in the software and tablets section has significantly boosted the site’s readership. Passionate about technology, she constantly seeks innovative ways to integrate gadgets into everyday life.