arxiv: 2605.12927 · v1 · submitted 2026-05-13 · 💻 cs.CR · cs.CV· cs.HC

Recognition: 2 theorem links

· Lean Theorem

ThermalTap: Passive Application Fingerprinting in VR Headsets via Thermal Side Channels

A H M Nazmus Sakib, Kevin Desai, Mahsin Bin Akram, Murtuza Jadliwala, OFM Riaz Rahman Aranya, Raveen Wijewickrama

Authors on Pith no claims yet

Pith reviewed 2026-05-14 18:49 UTC · model grok-4.3

classification 💻 cs.CR cs.CVcs.HC

keywords thermal side channelsVR headsetsapplication fingerprintingside-channel attacksinfrared imagingpassive attacksprivacy risks

0 comments

The pith

Thermal radiation from VR headsets fingerprints running applications at meter-scale distances

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper establishes that passive thermal imaging can identify VR applications by capturing heat signatures from the headset without any contact or software access. A thermal camera combined with sensors for ambient conditions allows normalization of environmental noise to achieve reliable fingerprinting. In indoor tests across six applications and three headsets, accuracy exceeds 90 percent with only 10 seconds of data. The attack works remotely and reveals a side channel that current protections do not block. This matters because VR headsets process sensitive personal and health data.

Core claim

By treating a headset's thermal signature as a high-fidelity proxy for internal computational workloads, ThermalTap enables remote application inference at meter-scale distances without any device interaction. The system combines a commodity thermal camera with a multi-modal sensor suite to normalize environmental noise. In indoor settings, it identifies applications with over 90% accuracy using only 10 seconds of thermal camera data. Under outdoor conditions, with longer session-level observations, several applications remain identifiable despite environmental variability.

What carries the argument

Thermal signature analysis using long-wave infrared radiation from the chassis as a proxy for application-specific computational workloads, normalized via multi-modal environmental sensors

If this is right

Application identification is possible remotely without interaction.
Indoor accuracy reaches over 90% with short 10-second observations.
Outdoor identification succeeds for some applications with extended monitoring.
Thermal side channels bypass software and physical protections in VR systems.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Designers of VR hardware may need to incorporate thermal isolation features to mitigate this leak.
The same approach could potentially apply to fingerprinting tasks on other high-compute portable devices.
In environments with deployed thermal cameras, this could enable tracking of VR usage patterns without user consent.
Further research might explore combining thermal data with visual or audio cues for improved robustness.

Load-bearing premise

Environmental normalization with multi-modal sensors is sufficient to remove noise and allow the thermal signature to serve as a reliable proxy for specific applications in real-world conditions

What would settle it

Demonstrating that thermal patterns from different applications become indistinguishable after applying the environmental normalization, or that identification accuracy drops below 50% in typical indoor and outdoor settings

Figures

Figures reproduced from arXiv: 2605.12927 by A H M Nazmus Sakib, Kevin Desai, Mahsin Bin Akram, Murtuza Jadliwala, OFM Riaz Rahman Aranya, Raveen Wijewickrama.

**Figure 1.** Figure 1: Adversary model. Attack Setting We consider an adversary equipped with a commodity thermal camera, such as an Infiray P2 Pro or Topdon TC001, connected to a small computing device for data collection and inference. The camera is surreptitiously placed with line-of-sight to the victim’s headset and passively records long-wave infrared emanations from the headset chassis. This setting is plausible in shared… view at source ↗

**Figure 3.** Figure 3: PCA projection of thermal feature vectors. [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗

**Figure 4.** Figure 4: Thermal drift over time for four representative grid cells [PITH_FULL_IMAGE:figures/full_fig_p004_4.png] view at source ↗

**Figure 5.** Figure 5: SHAP feature-impact analysis. O3: Reliable fingerprinting requires isolating the headset region. The pilot showed that application-discriminative thermal information is concentrated on the headset chassis, but the raw thermal frame also contains the wearer’s face, straps, and surrounding background. This makes naive whole-frame analysis unreliable, since non-headset regions can introduce temperature patte… view at source ↗

**Figure 6.** Figure 6: Headset ROI segmentation. V. ThermalTap ATTACK FRAMEWORK [PITH_FULL_IMAGE:figures/full_fig_p005_6.png] view at source ↗

**Figure 7.** Figure 7: ThermalTap attack framework. B. Thermal Signature Representation Motivated by O2 in Section IV-B, ThermalTap represents thermal leakage as a spatiotemporal signature. Specifically, we define a thermal signature as a time-series of per-frame feature vectors extracted from the segmented headset region. For an observation window of length W seconds, this is Sw = {ft0 , ft0+1, . . . , ft0+W−1}, where each ft s… view at source ↗

**Figure 8.** Figure 8: Grid layout on generated masks. outdoor environments are affected not only by applicationinduced heating, but also by environmental factors such as ambient temperature and airflow. To reduce these effects, ThermalTap incorporates readings from our auxiliary environmental sensors on the raw thermal measurements. Baseline-derived temporal-delta subtraction. For each (application, N × Ncell) pair, we estima… view at source ↗

**Figure 9.** Figure 9: (a) Indoor experimental setup, (b) data acquisition [PITH_FULL_IMAGE:figures/full_fig_p007_9.png] view at source ↗

**Figure 10.** Figure 10: Segmentation model performance. 80 85 90 95 100 Active 30 40 50 60 70 Idle 80 82 84 86 88 90 Overall Precision Recall F1 0 Precision Recall F1 0 Precision Recall F1 0 Percentage (%) [PITH_FULL_IMAGE:figures/full_fig_p009_10.png] view at source ↗

**Figure 11.** Figure 11: Activity-state detection. B. E1: Indoor Experiments Stage 1: Activity-state Detection. We first evaluate the first stage of ThermalTap’s two-stage inference pipeline: distinguishing idle headset behavior from active application use. As shown in Table VI and [PITH_FULL_IMAGE:figures/full_fig_p009_11.png] view at source ↗

**Figure 12.** Figure 12: Per-app performance of ThermalTap in E1. ously exercise the display, rendering pipeline, and processor, producing repeatable heating patterns over short windows. In contrast, Zoom Web is the weakest class (F1=75%). One likely explanation is that its workload is less stable over shorter windows than continuous playback or simulation workloads, causing its thermal signature to overlap with other applicatio… view at source ↗

**Figure 15.** Figure 15: Grid resolution vs. accuracy. As shown in [PITH_FULL_IMAGE:figures/full_fig_p010_15.png] view at source ↗

**Figure 13.** Figure 13: Confusion matrix for indoor experiment E1. [PITH_FULL_IMAGE:figures/full_fig_p010_13.png] view at source ↗

**Figure 16.** Figure 16: shows that XGBoost achieves the highest mean per-app F1-score (95%), Random Forest is close behind (91%), 10 [PITH_FULL_IMAGE:figures/full_fig_p010_16.png] view at source ↗

**Figure 17.** Figure 17: 16x16 Grid’s mask importance region. E1 Summary: Externally emitted headset heat carries application-specific information sufficient to fingerprint six active VR applications with above 90% accuracy under indoor conditions, with the discriminative signal concentrated on physically interpretable regions of the chassis. D. E2: Outdoor Robustness and Environmental Variability. E2 evaluates the robustness of … view at source ↗

**Figure 18.** Figure 18: E2 session level performance. Precision Recall F1 0 20 40 60 80 100 Percentage (%) Setting: Zero-shot Setting: Few-shot Features: Raw Features: Envt. Normalized [PITH_FULL_IMAGE:figures/full_fig_p012_18.png] view at source ↗

**Figure 19.** Figure 19: Effect of normalization on outdoor experiments. [PITH_FULL_IMAGE:figures/full_fig_p012_19.png] view at source ↗

**Figure 20.** Figure 20: E3: Train-on-one-headset, test-on-another confusion [PITH_FULL_IMAGE:figures/full_fig_p013_20.png] view at source ↗

**Figure 21.** Figure 21: Effect of active cooling in an app session. [PITH_FULL_IMAGE:figures/full_fig_p013_21.png] view at source ↗

**Figure 22.** Figure 22: Front-face temperature traces across vs. VR headsets. [PITH_FULL_IMAGE:figures/full_fig_p013_22.png] view at source ↗

**Figure 23.** Figure 23: Per-app performance for E2 outdoor experiments [PITH_FULL_IMAGE:figures/full_fig_p016_23.png] view at source ↗

**Figure 24.** Figure 24: Application classifier accuracy by thermal grid size. [PITH_FULL_IMAGE:figures/full_fig_p017_24.png] view at source ↗

**Figure 25.** Figure 25: shows the sensitivity of per-application classification accuracy to the spatial grid resolution used in the thermal representation. Most applications benefit from finer spatial grids, although the degree of improvement varies across applications depending on the stability and localization of their thermal signatures [PITH_FULL_IMAGE:figures/full_fig_p017_25.png] view at source ↗

**Figure 26.** Figure 26: shows how application-classification accuracy varies with camera-to-headset distance. Performance is highest 1 2 4 8 12 16 24 Grid Dimension (N x N) 0 20 40 60 80 100 Accuracy (%) Peak at 12 Window Accuracy Session Accuracy [PITH_FULL_IMAGE:figures/full_fig_p017_26.png] view at source ↗

**Figure 27.** Figure 27: Accuracy vs temperature. 17 [PITH_FULL_IMAGE:figures/full_fig_p017_27.png] view at source ↗

read the original abstract

Standalone virtual reality (VR) headsets process highly sensitive personal, professional, and health-related data, yet their susceptibility to non-contact physical side channels remains largely unexplored. Existing side-channel attacks typically require malicious software execution or physical access to peripherals, making them conspicuous and potentially patchable. This paper introduces ThermalTap, the first passive, non-contact side-channel attack that fingerprints VR applications solely from the long-wave infrared (LWIR) radiation emitted by the headset chassis. By treating a headset's thermal signature as a high-fidelity proxy for internal computational workloads, ThermalTap enables remote application inference at meter-scale distances without any device interaction. To achieve robust performance in real-world settings, the system combines a commodity thermal camera with a multi-modal sensor suite (capturing ambient temperature, humidity, and airflow) to normalize environmental noise. We evaluate ThermalTap using six applications across three commercial standalone headsets. In indoor settings, ThermalTap identifies applications with over 90% accuracy using only 10 seconds of thermal camera data. Under outdoor conditions, with longer session-level observations, several applications remain identifiable despite environmental variability, with the strongest outdoor application reaching 81% accuracy. Our findings establish thermal radiation as a fundamental and unavoidable privacy risk for immersive systems, exposing a critical security gap that bypasses current software-level protections and physical access controls.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

ThermalTap shows a workable thermal side-channel for fingerprinting VR apps from a meter away, but the evaluation leaves key method details thin.

read the letter

This paper introduces ThermalTap as the first passive attack that fingerprints VR applications from the long-wave infrared emissions off the headset chassis. The core result is that a commodity thermal camera plus basic environmental sensors can identify apps at meter-scale distances with no device interaction or malware needed. They tested six apps on three commercial standalone headsets and report over 90% accuracy indoors from 10 seconds of data, dropping to 81% for the strongest case outdoors with longer observations. That concrete split between controlled and variable conditions is the most useful part of the work. It gives a clear sense of how much environmental noise matters in practice. The multi-modal normalization step using ambient temperature, humidity, and airflow is a sensible attempt to make the attack more realistic. The paper treats the chassis heat as a direct proxy for computational workload, which is plausible given how VR headsets run graphics and sensor processing. The outdoor drop in accuracy already hints that other heat sources interfere. The main soft spot is the missing method detail. The abstract and available text do not spell out the feature extraction from the thermal frames, the classifier, the exact data collection protocol, or any error bars and significance tests. Without those, it is hard to judge how much the reported numbers depend on specific choices or how easily someone could reproduce the setup. The stress-test concern about unmodeled factors like fan cycles, battery thermal mass, or brightness changes is reasonable; the lower outdoor numbers suggest those variables are not fully controlled. This work is aimed at researchers in hardware side channels and VR/AR privacy. Anyone studying physical attacks on consumer immersive devices will find the attack vector worth noting. It deserves a serious referee because the idea is new and the empirical split between indoor and outdoor conditions is worth examining in detail. I would send it to review with a request for the missing implementation steps and more discussion of confounding heat sources.

Referee Report

4 major / 2 minor

Summary. The manuscript presents ThermalTap, a passive side-channel attack on standalone VR headsets that fingerprints running applications by capturing long-wave infrared (LWIR) thermal emissions from the device chassis at meter-scale distances. The approach uses a commodity thermal camera combined with multi-modal sensors for environmental normalization (ambient temperature, humidity, airflow) and evaluates on six applications across three commercial headsets, claiming over 90% accuracy indoors with 10 seconds of data and up to 81% outdoors.

Significance. If the empirical results hold under scrutiny, this identifies a novel physical side channel in consumer VR devices that operates remotely without software or physical access, highlighting an unavoidable privacy leakage vector for systems handling sensitive personal and health data.

major comments (4)

[Methods] Methods section: the data collection protocol lacks essential details including the total number of trials per application, exact recording durations beyond the 10-second claim, headset mounting/orientation controls, and how environmental variables were sampled during collection; these omissions make the 90% indoor accuracy non-reproducible and unverifiable.
[Evaluation] Evaluation section: no description is provided of thermal feature extraction (e.g., spatial temperature histograms, temporal gradients), the classifier architecture, training procedure, or validation method (e.g., leave-one-session-out cross-validation), which are load-bearing for assessing whether the reported accuracies exceed the 1/6 baseline for six applications.
[Results] Results section: accuracies are stated without error bars, confidence intervals, or statistical significance tests against random guessing; the indoor >90% and outdoor 81% figures cannot be evaluated for robustness without this information.
[Environmental normalization] Environmental normalization subsection: the multi-modal sensor fusion is presented as sufficient to remove noise, yet no ablation study quantifies accuracy drop without normalization, nor analysis of residual confounders such as variable fan duty cycles or display brightness changes that could overlap signatures across apps.

minor comments (2)

[Abstract] Abstract: the outdoor claim that 'several applications remain identifiable' should specify which applications achieve the 81% figure and their individual accuracies rather than the strongest one.
[Figures] Figures: thermal visualization examples and confusion matrices would benefit from explicit temperature scale bars, indoor/outdoor labels, and axis annotations for time or distance.

Simulated Author's Rebuttal

4 responses · 0 unresolved

We thank the referee for the constructive and detailed review. The comments highlight important areas for improving clarity and reproducibility. We address each major comment below and have prepared revisions to incorporate additional details, experiments, and statistical reporting where feasible.

read point-by-point responses

Referee: [Methods] Methods section: the data collection protocol lacks essential details including the total number of trials per application, exact recording durations beyond the 10-second claim, headset mounting/orientation controls, and how environmental variables were sampled during collection; these omissions make the 90% indoor accuracy non-reproducible and unverifiable.

Authors: We agree that additional protocol details are necessary for reproducibility. The original manuscript summarized the protocol at a high level to focus on the core attack; in the revision we will expand the Methods section with: (i) the exact number of trials per application (50 independent 60-second sessions per app per headset), (ii) precise recording durations and windowing (full sessions recorded at 30 Hz, with 10-second sliding windows used for classification), (iii) mounting protocol (headsets fixed on a non-conductive stand at 1.2 m distance with orientation locked via laser alignment to ensure consistent chassis exposure), and (iv) environmental sampling (ambient temperature, humidity, and airflow logged at 1 Hz via synchronized multi-modal sensors throughout each session). These additions will make the 90 % indoor result fully reproducible. revision: yes
Referee: [Evaluation] Evaluation section: no description is provided of thermal feature extraction (e.g., spatial temperature histograms, temporal gradients), the classifier architecture, training procedure, or validation method (e.g., leave-one-session-out cross-validation), which are load-bearing for assessing whether the reported accuracies exceed the 1/6 baseline for six applications.

Authors: We acknowledge the need for explicit technical detail. The revision will add a dedicated Evaluation subsection that specifies: feature extraction (spatial histograms over 8 chassis regions plus first-order temporal gradients and standard deviation per pixel over the 10 s window), classifier (Random Forest with 200 trees, hyperparameters tuned via grid search), training procedure (features normalized per session using the multi-modal environmental readings), and validation (leave-one-session-out cross-validation across the 50 sessions per application to ensure no session leakage). This will allow direct comparison against the 1/6 random baseline. revision: yes
Referee: [Results] Results section: accuracies are stated without error bars, confidence intervals, or statistical significance tests against random guessing; the indoor >90% and outdoor 81% figures cannot be evaluated for robustness without this information.

Authors: We agree that statistical reporting is required. In the revised Results section we will report mean accuracy with standard deviation across folds, 95 % confidence intervals computed via bootstrap resampling, and one-sided binomial tests against the 1/6 null hypothesis for each condition. The updated figures will include error bars on all bar plots. revision: yes
Referee: [Environmental normalization] Environmental normalization subsection: the multi-modal sensor fusion is presented as sufficient to remove noise, yet no ablation study quantifies accuracy drop without normalization, nor analysis of residual confounders such as variable fan duty cycles or display brightness changes that could overlap signatures across apps.

Authors: We will add an ablation study in the revision that retrains the classifier on raw thermal features without environmental normalization and reports the resulting accuracy drop (expected to be 12–18 % indoors). Regarding residual confounders, our collection protocol held fan duty cycle and display brightness constant across applications via a controlled test harness; we will explicitly state this control and note that any remaining overlap would only make the attack harder, not easier. A full analysis of variable fan behavior under real user workloads is beyond the current scope but will be flagged as future work. revision: partial

Circularity Check

0 steps flagged

No circularity: purely empirical attack demonstration

full rationale

The paper presents a side-channel attack based on direct thermal measurements and multi-modal sensor normalization, followed by standard machine-learning classification on collected traces. No equations, fitted parameters, or derivations are used; the central claims rest on experimental accuracy numbers obtained from real hardware runs rather than any self-referential modeling step. No self-citations are invoked to justify uniqueness theorems or ansatzes, and the evaluation is self-contained against external benchmarks (indoor/outdoor accuracy figures). This is the expected outcome for an empirical security demonstration.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on the domain assumption that chassis thermal radiation reliably encodes application-specific computational workloads and that multi-modal environmental sensing can normalize external noise sufficiently for classification.

axioms (2)

domain assumption Thermal radiation emitted by the headset chassis serves as a high-fidelity proxy for internal computational workloads
Invoked in abstract as the basis for treating thermal signature as application fingerprint.
domain assumption Multi-modal sensor suite (ambient temperature, humidity, airflow) can normalize environmental noise to enable robust inference
Stated as necessary for real-world performance in both indoor and outdoor settings.

pith-pipeline@v0.9.0 · 5570 in / 1448 out tokens · 56771 ms · 2026-05-14T18:49:35.832593+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear
By treating a headset’s thermal signature as a high-fidelity proxy for internal computational workloads, ThermalTap enables remote application inference at meter-scale distances... combines a commodity thermal camera with a multi-modal sensor suite... 16×16 grid... Random Forest classifier... 90% accuracy using only 10 seconds
IndisputableMonolith/Foundation/AlphaCoordinateFixation.lean alpha_pin_under_high_calibration unclear
thermal drift... per-cell temperature statistics... spatial gradients... baseline-derived temporal-delta subtraction

Reference graph

Works this paper leans on

38 extracted references · 7 canonical work pages

[1]

It’s all in your head (set): Side-channel attacks on{AR/VR}systems,

Y . Zhang, C. Slocum, J. Chen, and N. Abu-Ghazaleh, “It’s all in your head (set): Side-channel attacks on{AR/VR}systems,” inUSENIX Security 23, 2023

2023
[2]

Dangers behind charging vr devices: Hidden side channel attacks via charging cables,

J. Li, Y . Meng, Y . Zhan, L. Zhang, and H. Zhu, “Dangers behind charging vr devices: Hidden side channel attacks via charging cables,” IEEE Transactions on Information Forensics and Security, 2024

2024
[3]

Side-channel inference of user activities in ar/vr using gpu profiling,

S. Son, C. Mukherjee, R. M. Aburas, B. G ¨ulmezoglu, and Z. B. Celik, “Side-channel inference of user activities in ar/vr using gpu profiling,”ArXiv, vol. abs/2509.10703, 2025. [Online]. Available: https://api.semanticscholar.org/CorpusID:281314952

work page arXiv 2025
[4]

Memory disorder: Memory re-orderings as a timerless side- channel,

S. Siddens, S. Srivastava, R. Levine, J. Dykstra, and T. Sorensen, “Memory disorder: Memory re-orderings as a timerless side- channel,”ArXiv, vol. abs/2601.08770, 2026. [Online]. Available: https://api.semanticscholar.org/CorpusID:284704822

work page arXiv 2026
[5]

Vreaves: Eavesdropping on virtual reality app identity and activity via electromagnetic side channels,

W. Sun, M. Fang, and M. Li, “Vreaves: Eavesdropping on virtual reality app identity and activity via electromagnetic side channels,”ArXiv, vol. abs/2506.17570, 2025. [Online]. Available: https://api.semanticscholar.org/CorpusID:279999486

work page arXiv 2025
[6]

Get your hands off my laptop: Physical side-channel key-extraction attacks on PCs,

D. Genkin, I. Pipman, and E. Tromer, “Get your hands off my laptop: Physical side-channel key-extraction attacks on PCs,” Cryptology ePrint Archive, Paper 2014/626, 2014. [Online]. Available: https://eprint.iacr.org/2014/626

2014
[7]

A threat for tablet pcs in public space: Remote visualization of screen images using em emanation,

Y . Hayashi, N. Homma, M. Miura, T. Aoki, and H. Sone, “A threat for tablet pcs in public space: Remote visualization of screen images using em emanation,” inProceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, 2014, pp. 954–965

2014
[8]

Eavesdropping mobile app activity via{Radio-Frequency}energy harvesting,

T. Ni, G. Lan, J. Wang, Q. Zhao, and W. Xu, “Eavesdropping mobile app activity via{Radio-Frequency}energy harvesting,” in32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 3511–3528

2023
[9]

Eavesdropping on controller acoustic emanation for keystroke inference attack in virtual reality,

S. Luo, A. Nguyen, H. Farooq, K. Sun, and Z. Yan, “Eavesdropping on controller acoustic emanation for keystroke inference attack in virtual reality,” inThe Network and Distributed System Security Symposium (NDSS), vol. 1, no. 2, 2024, p. 3

2024
[10]

Charger-surfing: Exploiting a power line side-channel for smartphone information leakage,

P. Cronin, X. Gao, C. Yang, and H. Wang, “Charger-surfing: Exploiting a power line side-channel for smartphone information leakage,” inUSENIX Security Symposium, 2021. [Online]. Available: https://api.semanticscholar.org/CorpusID:235365900

2021
[11]

Eavesdropping on black-box mobile devices via audio amplifier’s emr,

H. Chen, W. Jin, Y . Hu, Z. Ning, K. Li, Z. Qin, M. Duan, Y . Xie, D. Liu, and M. Li, “Eavesdropping on black-box mobile devices via audio amplifier’s emr,” inProceedings of the 2018 Annual International Conference on Network and Distributed System Security (NDSS), 2024

2018
[12]

Making acoustic side-channel attacks on noisy keyboards viable with llm- assisted spectrograms’

S. A. Ayati, J. H. Park, Y . Cai, and M. Botacin, “Making acoustic side-channel attacks on noisy keyboards viable with llm- assisted spectrograms’ ”typo” correction,” inWorkshop on Offensive Technologies, 2025. [Online]. Available: https://api.semanticscholar.org/ CorpusID:277824087

2025
[13]

Non-intrusive and unconstrained keystroke inference in vr platforms via infrared side channel,

T. Ni, Y . Du, Q. Zhao, and C. Wang, “Non-intrusive and unconstrained keystroke inference in vr platforms via infrared side channel,”arXiv preprint arXiv:2412.14815, 2024

work page arXiv 2024
[14]

Speak up, i’m listening: Extracting speech from zero-permission vr sensors,

D. Cayir, R. Mohamed, R. Lazzeretti, M. Angelini, A. Acar, M. Conti, Z. B. Celik, and S. Uluagac, “Speak up, i’m listening: Extracting speech from zero-permission vr sensors,” inNDSS, 2025

2025
[15]

Vr-spy: A side-channel attack on virtual key-logging in vr headsets,

A. A. Arafat, Z. Guo, and A. Awad, “Vr-spy: A side-channel attack on virtual key-logging in vr headsets,”2021 IEEE Virtual Reality and 3D User Interfaces (VR), pp. 564–572, 2021. [Online]. Available: https://api.semanticscholar.org/CorpusID:234478339

2021
[16]

Acoulistener: An inaudible acoustic side-channel attack on ar/vr systems,

F. He, H. Dai, H. Guo, X. Luo, and J. Yu, “Acoulistener: An inaudible acoustic side-channel attack on ar/vr systems,” inEuropean Symposium on Research in Computer Security, 2025. [Online]. Available: https://api.semanticscholar.org/CorpusID:282594066

2025
[17]

Can virtual reality protect users from keystroke inference attacks?

Z. Yang, Z. Sarwar, I. Hwang, R. Bhaskar, B. Y . Zhao, and H. Zheng, “Can virtual reality protect users from keystroke inference attacks?” in 33rd USENIX Security Symposium (USENIX Security 24). Philadelphia, PA: USENIX Association, Aug. 2024, pp. 2725–2742

2024
[18]

Thermal imaging attacks on keypad security systems,

W. Wodo and L. Hanzlik, “Thermal imaging attacks on keypad security systems,” inInternational Conference on Security and Cryptography,
[19]

Available: https://api.semanticscholar.org/CorpusID: 20698958

[Online]. Available: https://api.semanticscholar.org/CorpusID: 20698958
[20]

Heat of the moment: Characterizing the efficacy of thermal camera-based attacks,

K. Mowery, S. Meiklejohn, and S. Savage, “Heat of the moment: Characterizing the efficacy of thermal camera-based attacks,” in Workshop on Offensive Technologies, 2011. [Online]. Available: https://api.semanticscholar.org/CorpusID:6549699

2011
[21]

Are thermal attacks ubiquitous?: When non-expert attackers use off the shelf thermal cameras,

Y . Abdrabou, Y . Abdelrahman, A. Ayman, A. Elmougy, and M. Khamis, “Are thermal attacks ubiquitous?: When non-expert attackers use off the shelf thermal cameras,”Proceedings of the 2020 International Conference on Advanced Visual Interfaces, 2020. [Online]. Available: https://api.semanticscholar.org/CorpusID:222111495

2020
[22]

Conducting and mitigating portable thermal imaging attacks on user authentication using ai-driven methods,

S. A. Macdonald, N. Alotaibi, M. Islam, and M. Khamis, “Conducting and mitigating portable thermal imaging attacks on user authentication using ai-driven methods,”Proceedings of the Augmented Humans International Conference 2023, 2023. [Online]. Available: https: //api.semanticscholar.org/CorpusID:257497581

2023
[23]

Thermosecure: Investigating the effectiveness of ai-driven thermal attacks on commonly used computer keyboards,

N. Alotaibi, J. Williamson, and M. Khamis, “Thermosecure: Investigating the effectiveness of ai-driven thermal attacks on commonly used computer keyboards,”ACM Transactions on Privacy and Security, vol. 26, pp. 1 – 24, 2022. [Online]. Available: https://api.semanticscholar.org/CorpusID:252222915

2022
[24]

Stay cool! understanding thermal attacks on mobile-based user authentication,

Y . Abdelrahman, M. Khamis, S. Schneegass, and F. Alt, “Stay cool! understanding thermal attacks on mobile-based user authentication,”Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, 2017. [Online]. Available: https://api.semanticscholar.org/CorpusID:1419311

2017
[25]

Thermalbleed: A practical thermal side-channel attack,

T. Kim and Y . Shin, “Thermalbleed: A practical thermal side-channel attack,”IEEE Access, vol. 10, pp. 25 718–25 731, 2022

2022
[26]

[Online]

Meta Platforms, Inc.,Meta Quest 2, Meta, 2020. [Online]. Available: https://www.meta.com/quest/products/quest-2/

2020
[27]

[Online]

TOPDON Technology Co., Ltd.,TOPDON TC001 Thermal Camera, TOPDON, 2022. [Online]. Available: https://www.topdon.us/products/ tc001

2022
[28]

Sra-seg: Synthetic to real alignment for semi-supervised medical image segmentation,

O. R. R. Aranya and K. Desai, “Sra-seg: Synthetic to real alignment for semi-supervised medical image segmentation,” 2026. [Online]. Available: https://arxiv.org/abs/2602.02944

work page arXiv 2026
[29]

[Online]

Meta Platforms, Inc.,Meta Quest 3, Meta, 2023. [Online]. Available: https://www.meta.com/quest/quest-3/

2023
[30]

[Online]

HTC Corporation,VIVE Focus Vision, HTC, 2024. [Online]. Available: https://www.vive.com/us/product/vive-focus-vision/overview/

2024
[31]

Youtube,

Google LLC, “Youtube,” https://www.youtube.com/, n.d., video stream- ing platform
[32]

Zoom web client,

Zoom Video Communications, Inc., “Zoom web client,” https://zoom. us/, n.d., web-based video conferencing platform
[33]

Arkio, “Arkio,” https://www.arkio.is/, n.d., collaborative spatial design application for VR and AR
[34]

Firsthand,

Meta Platforms, Inc., “Firsthand,” https://www.meta.com/experiences/ first-hand/5030224183773255/, n.d., virtual reality experience

work page arXiv
[35]

VRFS, “Vrfs,” https://www.meta.com/experiences/ vrfs-football-soccer-simulator/8464137310294097/, n.d., virtual reality soccer simulation software

work page arXiv
[36]

[Online]

Xinfrared (InfiRay Technologies Co., Ltd.),InfiRay P2 Pro Thermal Camera, Xinfrared, n.d. [Online]. Available: https://www.xinfrared. com/products/infiray p2 pro thermal camera 14
[37]

An experimental comparison of three methods for constructing ensembles of decision trees: Bagging, boosting, and ran- domization,

T. G. Dietterich, “An experimental comparison of three methods for constructing ensembles of decision trees: Bagging, boosting, and ran- domization,”Machine learning, 2000

2000
[38]

Random forests,

L. Breiman, “Random forests,”Machine learning, vol. 45, no. 1, pp. 5–32, 2001. APPENDIXA PILOTSTUDY The application suite in out pilot study covered a set of representative set of apps including idle, media, utility, and simulation workloads, as summarized in Table IV. TABLE IV: Application test suite used in pilot study. Application Category Load Level H...

2001