Apple Vision Pro: Horror hack unleashes hundreds of spiders on you
A security researcher was able to hack Apple's Vision Pro and flood the physical room with virtual spiders and bats — without the user's permission.
Researcher Ryan Pickren, who specializes in finding vulnerabilities in Apple products, found a security hole in Apple's Vision Pro. This allowed him to remotely flood users' virtual workspaces with hundreds of mixed reality spiders and bats without their permission. But don't worry: Apple has already patched the vulnerability.
In a detailed report, Pickren describes how he was able to exploit the vulnerability. According to the Pickren, the vulnerability was found in Safari for visionOS. He was able to bypass user permissions through a malicious website and fill a room with an arbitrary number of fully animated 3D objects.
"If the victim just views our website in Vision Pro, we can instantly fill their room with hundreds of crawling spiders and screeching bats," Pickren explained. Closing Safari did nothing to stop the virtual spider infestation. The only way to get rid of them was to walk around the room and physically tap each one.
The hack was made possible by an old standard for displaying 3D models on the web, the 2018 Apple AR Kit Quick Look, which worked without an extension and therefore did not require an experimental feature. Since Safari did not provide an authorization model for this standard and users did not have to click on a link, it could be exploited remotely and without user interaction. Full documentation, including an example video, can be found at the end of the article via the link in the source reference.
Vulnerabilities also found in Quest and HTC headsets
Vulnerabilities in VR systems that allow attackers to invade users' privacy have also been discovered in other VR headsets, although the actual risk of being hacked in VR is considered low. A University of Chicago study, for example, found a vulnerability in Meta's Quest operating system.
The researchers injected malicious code into the VR system through an application that created a digital clone of the home environment. Once inside the system, they were able to see, record, and manipulate everything users did with the headset, including speech, gestures, keystrokes, and browser activity.
In 2018, US computer specialists hacked the Oculus Rift and HTC Vive PC VR headsets in a test and stole sensitive user data. They infected a computer with malware to gain access to the poorly protected OpenVR interface.
Note: Links to online stores in articles can be so-called affiliate links. If you buy through this link, MIXED receives a commission from the provider. For you the price does not change.