EyeSpy attack on Meta Quest & Varjo VR steals gaze via render side-channel

A new security vulnerability dubbed EyeSpy reveals how virtual reality headsets can leak sensitive eye-tracking data without directly accessing eye-tracking APIs. The attack, detailed in a paper accepted to the 47th IEEE Symposium on Security and Privacy (S&P 2026), targets dynamic foveated rendering (DFR) — a technique that reduces GPU workload by rendering only the area where the user is looking (the fovea) at high detail, while peripheral areas are rendered at lower quality. EyeSpy exploits the fact that objects in the fovea incur higher GPU workload, creating a measurable side channel in rendering metrics like frame rate or frame time.

The attack works by placing imperceptible high-cost objects (HCOs) that sweep across the user's field of view. By correlating dips in GPU performance (when an HCO overlaps with the fovea) with the known positions of those HCOs, attackers can reconstruct the user's gaze coordinates purely from game engine telemetry. The researchers tested EyeSpy on Meta Quest Pro, Varjo XR-4, and a desktop VR setup, achieving mean gaze prediction errors of 1.1–4.4 degrees — comparable to the accuracy of commercial eye trackers themselves. The attack generalizes across hardware platforms, game engines (Unity, Unreal), and foveated rendering pipelines. As a countermeasure, the team developed detector models (supervised and unsupervised) that reliably identify the attack with an F1 score of 0.99 over short observation windows. The work highlights a fundamental privacy risk in current DFR systems and suggests that hardware-level obfuscation or timing noise may be needed as future mitigations.