Security Bite: Is Apple Vision Pro a game changer or a potential privacy nightmare?

Apple’s first new flagship product in almost a decade is just around the corner, with pre-orders for Apple Vision Pro beginning next Friday. The company is promising a new spatial computing era, but is the mixed reality (XR) headset a game-changer product or a potential privacy nightmare? Answer: Maybe both…

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

This is Security Bite, a weekly security-focused column on 9to5Mac, where each Sunday, Arin Waichulis discusses the latest in data privacy, vulnerabilities, and emerging threats around Apple’s over 2 billion active device ecosystem.

Apple isn’t new to spatial computing. For years, the company has pioneered augmented reality on smartphones since the introduction of an ARKit in 2017 and later RealityKit in 2019 for creating, rendering, and interacting with 3D objects in physical environments. With some of the first adopters being the wildly popular Pokémon Go and the cosmic mapping app, NightSky.

Apple Vision Pro and its visionOS platform take this to a new level. The headset itself is a technological feat, consisting of an array of sensors used for features like audio ray racing and TrueDepth for real-time 3D mapping, six microphones, eight cameras on the front for passthrough, capturing images and video, head and hand tracking, as well as four cameras on the inside for eye tracking, Optic ID, and EyeSight—more on these below.

To quote Steve Jobs during the original iPhone launch in 2007, “boy have we patented it!” Over 5,000 patents were issued during the development of Apple Vision Pro.

While sure, Apple claims it’s the era of spatial computing, in other words, bringing together digital and physical worlds. It’s better described as the era of data collection. Mixed reality, a type of spatial computing, has been gaining steam recently, largely thanks to Meta and its Quest lineup. And yeah, Vision Pro will likely launch the category into the stratosphere. But what users may not know is these devices can give up more sensitive data than they realize.

For example, distance from the ground measured by depth sensors can determine a user’s height. The sound of a passing train could help point to a physical location. A user’s head moments can be used to determine emotional and neurological states. Data collected on the user’s eyes is arguably the most concerning. Not only could this lead to targeted advertising and behavioral profiling, but it could also reveal sensitive health information. It’s not uncommon for eye doctors to help diagnose patients for ailments simply by looking at their eyes.

Apple’s three leading security and privacy claims:

Optic ID: Apple Vision Pro uses four eye-tracking cameras and a set of invisible wavelength LEDs to scan the uniqueness of a user’s iris. Vision Pro’s Optic ID is used to unlock the device and authorize Apple Pay payments and Password AutoFill. Like Face ID data, Apple says Optic ID is encrypted, never leaves the device, and is only accessible by the Secure Enclave processor. This is a separate area on the microchip, apart from the central processor, solely designed to process sensitive data like biometrics. And isolated for good reason!

System-level processing: All camera and sensor data processing happens on Apple Vision Pro without sending sensitive data to servers or the cloud. This reduces the risk of data exposure during transmission and/or storage.

Eye tracking data is private: Gaze direction, eye movements, and pupil dilation, among others, can be more revealing than one may think. These insights can be helpful for malicious actors to determine a person’s thoughts, interests, and reactions. Something most Vision Pro users wouldn’t think about. “Eye input is not shared with Apple, third-party apps, or websites. Only your final selections are transmitted when you tap your fingers together,” Apple explains.

Apple limits developers’ access to sensors and cameras on Vision Pro. However, the potential implications of real-time data collected by third-party applications present concerns about how developers use this data and what it can infer about people. It’s still early, and I’m eager to get my hands on Vision Pro come February 2.

FTC: We use income earning auto affiliate links. More.