Just within hours of Apple releasing its much-hyped mixed reality headset, Apple Vision Pro, a security researcher was able to discover a critical kernel vulnerability in the device’s software – visionOS, which, if exploited, could potentially enable jailbreaks and malware attacks.
Joseph Ravichandran (@0xjprx), a Ph.D. student from Massachusetts Institute of Technology (MIT) with expertise in Microarchitecture Security, took to X (formerly Twitter) late Friday night, to share his insights into the identified kernel vulnerability, which is believed to be a possible first publicly-disclosed kernel exploit for the visionOS.
When the device crashes it switches to full passthrough and displays a warning to remove the device in 30 seconds so it can reboot. Pretty cool pic.twitter.com/f4KYxSiVsq
— Joseph Ravichandran (@0xjprx) February 3, 2024
In the post, Ravichandran shared a series of pictures highlighting the severity of the uncovered flaw, as well as the headset’s response to an attempted kernel exploit.
Once the kernel exploit is tested, the Vision Pro crashes and goes into full passthrough view and notifies the wearer to remove the headset (from the wearer’s head) within 30 seconds so that it can reboot.
Once restarted, a panic log indicating a kernel crash for the headset shows up. Also, in another picture shared by the security researcher, a custom application named “Vision Pro Crasher,” which included a 3D skull wearing a headset and a button with text called “Crash My Vision Pro,” is seen.
It is unclear if Ravichandran is planning to submit his discoveries to Apple or if he has already presented them to the company.
If he chooses to report his findings to the Cupertino tech giant, there are slim chances that his findings may qualify for Apple’s Security Bounty program.
However, given Apple’s history of quickly addressing security vulnerabilities as well as the premium nature of the Apple Vision Pro launch, it is likely that the company will issue a fix immediately if the issue is disclosed.