pith. sign in

arxiv: 2606.17783 · v1 · pith:U3ZDPWYVnew · submitted 2026-06-16 · 💻 cs.HC

Is It Real? Exploiting Virtual-Physical Discrimination Vulnerability in Mixed Reality

Pith reviewed 2026-06-26 23:11 UTC · model grok-4.3

classification 💻 cs.HC
keywords mixed realityvirtual-physical discriminationsecurity vulnerabilityuser behavior attacksMR headsetsproof-of-concept attacksApple Vision Pro
0
0 comments X

The pith

Mixed reality headsets create a vulnerability where users cannot distinguish virtual objects from physical ones.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Consumer mixed reality headsets can blend virtual content with physical environments so well that users have trouble telling them apart. The paper identifies this as a security vulnerability that can be exploited. Through workshops with experts, a taxonomy of attacks was developed, and four attacks were implemented and tested on Apple Vision Pro with 26 participants in realistic tasks. All attacks changed user behavior with success rates from 85 to 100 percent, including misdirected actions and altered decisions, and users did not suspect adversarial intent even when they noticed odd events.

Core claim

This paper claims that the inability of users to discriminate virtual from physical objects in mixed reality is an exploitable security primitive, as shown by four proof-of-concept attacks that reliably altered user behavior in realistic scenarios without users attributing the changes to attacks.

What carries the argument

The virtual-physical discrimination vulnerability, which makes it difficult for users to identify virtual content as fake during tasks, enabling confusion-based attacks.

Load-bearing premise

Current mixed reality headsets have high enough visual fidelity that users cannot easily tell virtual objects from physical ones in normal use.

What would settle it

An experiment showing that most users can correctly identify and avoid interacting with virtual objects presented as physical in the same tasks used for the attacks.

Figures

Figures reproduced from arXiv: 2606.17783 by Hewu Li, Maria Gorlatova, Xihuan Yao, Xin Yi, Xueyang Wang, Yanming Xiu.

Figure 1
Figure 1. Figure 1: Illustrative scenarios for the four subtypes of virtual-physical confusion attacks. Blue outlines represent physical [PITH_FULL_IMAGE:figures/full_fig_p005_1.png] view at source ↗
Figure 3
Figure 3. Figure 3: Disguised Ad attack on BuildAssist. (a) The 3D ref￾erence model guides block assembly. (b) Three virtual clones of physical blocks (red dashed circles) are injected among real blocks. Grasping a clone triggers a video advertisement [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 2
Figure 2. Figure 2: Threat model overview. A compromised MR task [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 4
Figure 4. Figure 4: Object Masquerade attack on TidySpace. Top: the user’s MR view showing a to-do list and the manipulated environment. Virtual overlays disguise a trash bin as a flower pot (orange), a file organizer tray as a fruit basket (orange), and a water cup as a pen holder (blue). Bottom: the three target objects shown without overlays. physical boundaries of the underlying object while rewriting its perceived catego… view at source ↗
Figure 6
Figure 6. Figure 6: Phantom Obstacle attack on PathGuide. Left: the user’s MR view showing floor-projected navigation arrows. A-C: three virtual obstacles (Wet-floor caution sign, Folding table, and Stack of shipping boxes) injected along the path, rendered with environment-consistent lighting and occlusion. occlusion against the physical floor and walls. The attack exploits automatic obstacle-avoidance behavior [14]: users t… view at source ↗
Figure 5
Figure 5. Figure 5: Surface Spoof attack on ShopLens. Left column: real-world view of physically identical product pairs. Right column: MR view with attribute-deceptive overlays. (a) Brand logos on T-shirts. (b) Graphic patterns on notebooks. (c) Text slogans on canvas bags. Higher-priced items receive attractive overlays; lower-priced items receive aversive ones. gories, the higher-priced option receives an attractiveness￾en… view at source ↗
Figure 7
Figure 7. Figure 7: Top-down view of the experiment space (8.0 m [PITH_FULL_IMAGE:figures/full_fig_p008_7.png] view at source ↗
Figure 9
Figure 9. Figure 9: Surface Spoof attack on ShopLens. Butterfly chart shows participant purchase decisions across three product cat￾egories. Dark shading indicates overlay-influenced decisions; light shading indicates overlay-independent decisions. the counterfeit “Abibas” version. Notably, many participants acknowledged detecting the virtual nature of the overlays yet still used them as decision criteria (P05: “even a fake p… view at source ↗
Figure 8
Figure 8. Figure 8: Per-participant results for the Disguised Ad and [PITH_FULL_IMAGE:figures/full_fig_p009_8.png] view at source ↗
Figure 10
Figure 10. Figure 10: Phantom Obstacle attack on PathGuide. Walking trajectories for all 26 participants around three virtual ob￾stacles (blue rectangles). Most participants deviated around obstacles despite recognizing them as virtual. Spoof, Phantom Obstacle}, with no within-group differences reaching significance. This grouping does not follow the taxonomy’s Injec￾tion/Overlay axis but instead reflects a disruption-stealth … view at source ↗
Figure 11
Figure 11. Figure 11: Questionnaire results across four attack scenarios. (a) Composite scores for five scales (7-point): IPQ (presence), [PITH_FULL_IMAGE:figures/full_fig_p011_11.png] view at source ↗
read the original abstract

Consumer mixed reality (MR) headsets seamlessly blend virtual content into physical environments with sufficient fidelity that users may be unable to distinguish virtual objects from physical ones. We identify this virtual-physical discrimination vulnerability as an exploitable security primitive. Through speculative design workshops with 12 experts from cybersecurity and MR/HCI, we develop a taxonomy of virtual-physical confusion attacks and implement four proof-of-concept attacks on Apple Vision Pro, evaluating them with 26 participants in realistic MR tasks. All four attacks altered user behavior, with success rates ranging from 85% to 100%, producing misdirected interactions, misjudged object identities, biased purchasing decisions, and altered navigation paths. Notably, the most successful attacks were also the hardest to detect according to participants' subjective ratings. Even participants who recognized virtual content still complied behaviorally, and no participant attributed anomalous events to adversarial causes. We propose platform-level provenance, interaction gating, and user education as countermeasures.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. The paper claims that current consumer MR headsets (e.g., Apple Vision Pro) achieve sufficient visual fidelity to create a 'virtual-physical discrimination vulnerability,' allowing attackers to induce misdirected user behavior. The authors conduct speculative design workshops with 12 experts to produce a taxonomy of virtual-physical confusion attacks, implement four proof-of-concept attacks on commercial hardware, and evaluate them in a study with 26 participants performing realistic tasks. All attacks altered behavior with reported success rates of 85–100%, and participants rarely detected the attacks or attributed them to adversaries. Countermeasures including platform provenance, interaction gating, and education are proposed.

Significance. If the central claim holds after addressing measurement gaps, the work identifies a previously under-explored attack surface at the intersection of MR rendering fidelity and security, with direct relevance to platform design for emerging consumer headsets. The multi-stage methodology (expert workshops plus user evaluation on real hardware) and the observation that even detected attacks still produced compliance are useful contributions that could seed follow-on research in HCI security.

major comments (1)
  1. [§5] §5 (User Study): The evaluation reports only downstream behavioral compliance (85–100% success rates) and post-hoc subjective detection ratings. No forced-choice discrimination task, accuracy metric, or signal-detection analysis is described that would quantify participants' objective ability to distinguish virtual from physical objects under the attack rendering conditions. This measurement is load-bearing for the claim that the attacks succeed because of a discrimination vulnerability rather than task framing, social compliance, or low suspicion.
minor comments (2)
  1. [Abstract, §5] Abstract and §5: No details are provided on statistical methods, power analysis, blinding procedures, or criteria for task selection; these should be added to allow assessment of result robustness.
  2. [§4] §4 (Attacks): The four PoC implementations would benefit from explicit discussion of how rendering parameters were chosen to match the claimed high-fidelity regime and whether any pilot testing confirmed the fidelity assumption.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their careful review and constructive feedback on the user study. We address the single major comment below.

read point-by-point responses
  1. Referee: [§5] §5 (User Study): The evaluation reports only downstream behavioral compliance (85–100% success rates) and post-hoc subjective detection ratings. No forced-choice discrimination task, accuracy metric, or signal-detection analysis is described that would quantify participants' objective ability to distinguish virtual from physical objects under the attack rendering conditions. This measurement is load-bearing for the claim that the attacks succeed because of a discrimination vulnerability rather than task framing, social compliance, or low suspicion.

    Authors: We acknowledge that the study does not include a forced-choice discrimination task or signal-detection analysis. The evaluation was intentionally designed around realistic MR tasks to measure behavioral compliance as the primary outcome, which directly addresses the security implications of the vulnerability. The manuscript reports that attacks achieved 85–100% success in altering behavior, that subjective detection was low, and—critically—that participants who did recognize virtual content still complied. These results indicate that the observed effects are not explained by task framing or low suspicion alone. An isolated perceptual discrimination task would remove the contextual and motivational factors present in actual use, limiting ecological validity. We therefore maintain that the current measures are sufficient to support the claims and do not plan to add such a task. revision: no

Circularity Check

0 steps flagged

Empirical HCI/security study with no derivations or self-referential predictions

full rationale

The paper reports an empirical study: speculative design workshops with 12 experts, development of a taxonomy, implementation of four PoC attacks on Apple Vision Pro, and evaluation with 26 participants measuring behavioral changes (85-100% success rates) and subjective detection ratings. No equations, fitted parameters, first-principles derivations, or predictions appear anywhere in the manuscript. All claims rest on direct experimental data rather than any reduction to inputs by construction, self-citation chains, or renamed known results. The central vulnerability claim is supported (or not) by the reported user-study outcomes, which are independent measurements.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

This is an empirical HCI/security study with no mathematical modeling. It relies on standard domain assumptions about human perception in immersive environments but introduces no free parameters, new entities, or non-standard axioms.

axioms (1)
  • domain assumption Users of MR headsets interact with blended virtual and physical content in ways that can be influenced by misperceptions of object identity and location.
    This premise underpins the claim that the vulnerability is exploitable; it is invoked in the abstract when describing attack success.

pith-pipeline@v0.9.1-grok · 5704 in / 1349 out tokens · 47025 ms · 2026-06-26T23:11:53.324337+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

64 extracted references · 3 canonical work pages · 1 internal anchor

  1. [1]

    What you experience is what we collect: User experience based fine-grained permissions for everyday augmented reality

    Melvin Abraham, Mark McGill, and Mohamed Khamis. What you experience is what we collect: User experience based fine-grained permissions for everyday augmented reality. InProceedings of the 2024 CHI Conference on Human Factors in Computing Systems, pages 1–24, 2024

  2. [2]

    Implications of xr on privacy, se- curity and behaviour: Insights from experts

    Melvin Abraham, Pejman Saeghe, Mark Mcgill, and Mohamed Khamis. Implications of xr on privacy, se- curity and behaviour: Insights from experts. InNordic Human-Computer Interaction Conference, pages 1–12, 2022

  3. [3]

    Breaking the virtual barrier of exploit chain attacks in xr systems

    Asif Uz Zaman Asif, Meera Sridhar, Indrakshi Ray, and Francisco R Ortega. Breaking the virtual barrier of exploit chain attacks in xr systems. In2024 IEEE Inter- national Symposium on Mixed and Augmented Reality Adjunct (ISMAR-Adjunct), pages 32–34. IEEE, 2024

  4. [4]

    A scoping survey on cross-reality systems.ACM Computing Surveys, 56(4):1– 38, 2023

    Jonas Auda, Uwe Gruenefeld, Sarah Faltaous, Sven Mayer, and Stefan Schneegass. A scoping survey on cross-reality systems.ACM Computing Surveys, 56(4):1– 38, 2023

  5. [5]

    ” i am definitely manipulated, even when i am aware of it

    Kerstin Bongard-Blanchy, Arianna Rossi, Salvador Ri- vas, Sophie Doublet, Vincent Koenig, and Gabriele Lenzini. ” i am definitely manipulated, even when i am aware of it. it’s ridiculous!”-dark patterns from the end-user perspective. InProceedings of the 2021 ACM Designing Interactive Systems Conference, pages 763– 776, 2021

  6. [6]

    Was it real or virtual? con- firming the occurrence and explaining causes of memory source confusion between reality and virtual reality

    Elise Bonnail, Julian Frommel, Eric Lecolinet, Samuel Huron, and Jan Gugenheimer. Was it real or virtual? con- firming the occurrence and explaining causes of memory source confusion between reality and virtual reality. In Proceedings of the 2024 CHI Conference on Human Factors in Computing Systems, pages 1–17, 2024

  7. [7]

    Memory manipulations in extended reality

    Elise Bonnail, Wen-Jie Tseng, Mark McGill, Eric Leco- linet, Samuel Huron, and Jan Gugenheimer. Memory manipulations in extended reality. InProceedings of the 2023 CHI Conference on Human Factors in Computing Systems, pages 1–20, 2023

  8. [8]

    Using thematic anal- ysis in psychology.Qualitative research in psychology, 3(2):77–101, 2006

    Virginia Braun and Victoria Clarke. Using thematic anal- ysis in psychology.Qualitative research in psychology, 3(2):77–101, 2006

  9. [9]

    Sus: a retrospective.Journal of usability studies, 8(2), 2013

    John Brooke. Sus: a retrospective.Journal of usability studies, 8(2), 2013

  10. [10]

    Manipulat- ing immersion: The impact of perceptual incongruence on perceived plausibility in vr

    Larissa Brübach, Mona Röhm, Franziska Westermeier, Marc Erich Latoschik, and Carolin Wienrich. Manipulat- ing immersion: The impact of perceptual incongruence on perceived plausibility in vr. In2024 IEEE Inter- national Symposium on Mixed and Augmented Reality (ISMAR), pages 1078–1086. IEEE, 2024

  11. [11]

    Immersive virtual reality attacks and the human joy- stick.IEEE Transactions on Dependable and Secure Computing, 18(2):550–562, 2019

    Peter Casey, Ibrahim Baggili, and Ananya Yarramreddy. Immersive virtual reality attacks and the human joy- stick.IEEE Transactions on Dependable and Secure Computing, 18(2):550–562, 2019

  12. [12]

    When the user is inside the user interface: An empirical study of {UI} se- curity properties in augmented reality

    Kaiming Cheng, Arkaprabha Bhattacharya, Michelle Lin, Jaewook Lee, Aroosh Kumar, Jeffery F Tian, Ta- dayoshi Kohno, and Franziska Roesner. When the user is inside the user interface: An empirical study of {UI} se- curity properties in augmented reality. In33rd USENIX Security Symposium (USENIX Security 24), pages 2707– 2723, 2024

  13. [13]

    Exploring user reactions and men- tal models towards perceptual manipulation attacks in mixed reality

    Kaiming Cheng, Jeffery F Tian, Tadayoshi Kohno, and Franziska Roesner. Exploring user reactions and men- tal models towards perceptual manipulation attacks in mixed reality. In32nd USENIX Security Symposium (USENIX Security 23), pages 911–928, 2023

  14. [14]

    Avoiding 3d obstacles in mixed reality: does it differ from negotiating real obstacles?Sensors, 20(4):1095, 2020

    Bert Coolen, Peter J Beek, Daphne J Geerse, and Melvyn Roerdink. Avoiding 3d obstacles in mixed reality: does it differ from negotiating real obstacles?Sensors, 20(4):1095, 2020

  15. [15]

    Grounded theory research: Procedures, canons, and evaluative criteria

    Juliet M Corbin and Anselm Strauss. Grounded theory research: Procedures, canons, and evaluative criteria. Qualitative sociology, 13(1):3–21, 1990

  16. [16]

    Perceptual issues in augmented reality

    David Drascic and Paul Milgram. Perceptual issues in augmented reality. InStereoscopic displays and virtual reality systems III, volume 2653, pages 123–134. Spie, 1996

  17. [17]

    Co-speculating on dark scenarios and un- intended consequences of a ubiquitous (ly) augmented reality

    Chloe Eghtebas, Gudrun Klinker, Susanne Boll, and Marion Koelle. Co-speculating on dark scenarios and un- intended consequences of a ubiquitous (ly) augmented reality. InProceedings of the 2023 ACM Designing In- teractive Systems Conference, pages 2392–2407, 2023

  18. [18]

    An aligned rank transform procedure for multifactor contrast tests

    Lisa A Elkin, Matthew Kay, James J Higgins, and Ja- cob O Wobbrock. An aligned rank transform procedure for multifactor contrast tests. InThe 34th annual ACM symposium on user interface software and technology, pages 754–768, 2021

  19. [19]

    Speculative privacy concerns about ar glasses data col- lection.Proceedings on Privacy Enhancing Technolo- gies, 2023

    Andrea Gallardo, Chris Choy, Jaideep Juneja, Efe Bozkir, Camille Cobb, Lujo Bauer, and Lorrie Cranor. Speculative privacy concerns about ar glasses data col- lection.Proceedings on Privacy Enhancing Technolo- gies, 2023

  20. [20]

    Model of illu- sions and virtual reality.Frontiers in psychology, 8:1125, 2017

    Mar Gonzalez-Franco and Jaron Lanier. Model of illu- sions and virtual reality.Frontiers in psychology, 8:1125, 2017. 13

  21. [21]

    Novel challenges of safety, security and privacy in extended reality

    Jan Gugenheimer, Wen-Jie Tseng, Abraham Hani Mhaidli, Jan Ole Rixen, Mark McGill, Michael Nebel- ing, Mohamed Khamis, Florian Schaub, and Sanchari Das. Novel challenges of safety, security and privacy in extended reality. InCHI Conference on Human Factors in Computing Systems Extended Abstracts, pages 1–5, 2022

  22. [22]

    Deceived by immersion: A systematic analysis of deceptive design in extended reality.ACM Computing Surveys, 56(10):1–25, 2024

    Hilda Hadan, Lydia Choong, Leah Zhang-Kennedy, and Lennart E Nacke. Deceived by immersion: A systematic analysis of deceptive design in extended reality.ACM Computing Surveys, 56(10):1–25, 2024

  23. [23]

    Nasa-task load index (nasa-tlx); 20 years later

    Sandra G Hart. Nasa-task load index (nasa-tlx); 20 years later. InProceedings of the human factors and ergonomics society annual meeting, volume 50, pages 904–908. Sage publications Sage CA: Los Angeles, CA, 2006

  24. [24]

    Implementing object tracking in your visionOS app

    Apple Inc. Implementing object tracking in your visionOS app. https://developer. apple.com/documentation/visionos/ implementing-object-tracking-in-your-visionos-app . [Accessed 15-02-2026]

  25. [25]

    Towards indistinguishable augmented re- ality: A survey on optical see-through head-mounted displays.ACM Computing Surveys (CSUR), 54(6):1–36, 2021

    Yuta Itoh, Tobias Langlotz, Jonathan Sutton, and Alexan- der Plopski. Towards indistinguishable augmented re- ality: A survey on optical see-through head-mounted displays.ACM Computing Surveys (CSUR), 54(6):1–36, 2021

  26. [26]

    Assessing user apprehensions about mixed reality artifacts and applications: The mixed real- ity concerns (mrc) questionnaire

    Christopher Katins, Paweł W Wo´ zniak, Aodi Chen, Ihsan Tumay, Luu Viet Trinh Le, John Uschold, and Thomas Kosch. Assessing user apprehensions about mixed reality artifacts and applications: The mixed real- ity concerns (mrc) questionnaire. InProceedings of the 2024 CHI Conference on Human Factors in Computing Systems, pages 1–13, 2024

  27. [27]

    What makes xr dark? examining emerging dark patterns in augmented and virtual real- ity through expert co-design.ACM Transactions on Computer-Human Interaction, 31(3):1–39, 2024

    Veronika Krauß, Pejman Saeghe, Alexander Boden, Mo- hamed Khamis, Mark McGill, Jan Gugenheimer, and Michael Nebeling. What makes xr dark? examining emerging dark patterns in augmented and virtual real- ity through expert co-design.ACM Transactions on Computer-Human Interaction, 31(3):1–39, 2024

  28. [28]

    Per- ceptual issues in augmented reality revisited

    Ernst Kruijff, J Edward Swan, and Steven Feiner. Per- ceptual issues in augmented reality revisited. In2010 IEEE international symposium on mixed and augmented reality, pages 3–12. IEEE, 2010

  29. [29]

    Teach- ing johnny not to fall for phish.ACM Transactions on Internet Technology (TOIT), 10(2):1–31, 2010

    Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. Teach- ing johnny not to fall for phish.ACM Transactions on Internet Technology (TOIT), 10(2):1–31, 2010

  30. [30]

    The measurement of observer agreement for categorical data.biometrics, pages 159–174, 1977

    J Richard Landis and Gary G Koch. The measurement of observer agreement for categorical data.biometrics, pages 159–174, 1977

  31. [31]

    Securing augmented reality output

    Kiron Lebeck, Kimberly Ruth, Tadayoshi Kohno, and Franziska Roesner. Securing augmented reality output. In2017 IEEE Symposium on Security and Privacy (SP), pages 320–337, 2017

  32. [32]

    Towards security and privacy for multi-user augmented reality: Foundations with end users

    Kiron Lebeck, Kimberly Ruth, Tadayoshi Kohno, and Franziska Roesner. Towards security and privacy for multi-user augmented reality: Foundations with end users. In2018 IEEE Symposium on Security and Pri- vacy (SP), pages 392–408. IEEE, 2018

  33. [33]

    {AdCube}:{WebVR} ad fraud and practical confinement of {Third-Party} ads

    Hyunjoo Lee, Jiyeon Lee, Daejun Kim, Suman Jana, Insik Shin, and Sooel Son. {AdCube}:{WebVR} ad fraud and practical confinement of {Third-Party} ads. In30th USENIX Security Symposium (USENIX Security 21), pages 2543–2560, 2021

  34. [34]

    Reliability and inter-rater reliability in qualitative re- search: Norms and guidelines for cscw and hci practice

    Nora McDonald, Sarita Schoenebeck, and Andrea Forte. Reliability and inter-rater reliability in qualitative re- search: Norms and guidelines for cscw and hci practice. Proceedings of the ACM on human-computer interac- tion, 3(CSCW):1–23, 2019

  35. [35]

    The big brother’s new playground: Unmasking the illusion of privacy in web metaverses from a mali- cious user’s perspective

    Andrea Mengascini, Ryan Aurelio, and Giancarlo Pelle- grino. The big brother’s new playground: Unmasking the illusion of privacy in web metaverses from a mali- cious user’s perspective. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communi- cations Security, pages 2162–2176, 2024

  36. [36]

    Abraham Mhaidli, Shwetha Rajaram, Selin Fidan, Gina Herakovic, and Florian Schaub. Shockvertising, mal- ware, and a lack of accountability: exploring consumer risks of virtual reality advertisements and marketing experiences.IEEE Security & Privacy, 22(1):43–52, 2023

  37. [37]

    Identifying manipulative advertising techniques in xr through sce- nario construction

    Abraham Hani Mhaidli and Florian Schaub. Identifying manipulative advertising techniques in xr through sce- nario construction. InProceedings of the 2021 chi con- ference on human factors in computing systems, pages 1–18, 2021

  38. [38]

    Shadowed realities: An investigation of ui attacks in webxr

    Chandrika Mukherjee, Reham Mohamed, Arjun Arunasalam, Habiba Farrukh, and Z Berkay Celik. Shadowed realities: An investigation of ui attacks in webxr. InUSENIX Security Symposium, 2025

  39. [39]

    Toward an ever-present extended real- ity: Distinguishing between real and virtual

    Anton Nijholt. Toward an ever-present extended real- ity: Distinguishing between real and virtual. InAdjunct Proceedings of the 2023 ACM International Joint Con- ference on Pervasive and Ubiquitous Computing & The 2023 ACM International Symposium on Wearable Com- puting, pages 396–399, 2023. 14

  40. [40]

    Making images real again: A comprehensive survey on deep image compo- sition.arXiv preprint arXiv:2106.14490, 2021

    Li Niu, Wenyan Cong, Liu Liu, Yan Hong, Bo Zhang, Jing Liang, and Liqing Zhang. Making images real again: A comprehensive survey on deep image compo- sition.arXiv preprint arXiv:2106.14490, 2021

  41. [41]

    Pedro J Pardo, María Isabel Suero, and Ángel Luis Pérez. Correlation between perception of color, shadows, and surface textures and the realism of a scene in virtual reality.Journal of the Optical Society of America A, 35(4):B130–B135, 2018

  42. [42]

    Using visual cues to prevent memory confusion between the virtual and the real in augmented reality

    Léana Petiot, Hélène Sauzéon, and Pierre Dragicevic. Using visual cues to prevent memory confusion between the virtual and the real in augmented reality. InProceed- ings of the Extended Abstracts of the CHI Conference on Human Factors in Computing Systems, pages 1–7, 2025

  43. [43]

    From redirected navigation to forced attention: Uncov- ering manipulative and deceptive designs in augmented reality through retail shopping

    Martina Ruocco, Pejman Saeghe, Frederic Kerber, Jan Gugenheimer, Mark McGill, and Mohamed Khamis. From redirected navigation to forced attention: Uncov- ering manipulative and deceptive designs in augmented reality through retail shopping. In2024 IEEE Inter- national Symposium on Mixed and Augmented Reality (ISMAR), pages 720–729. IEEE, 2024

  44. [44]

    Secure {Multi-User} content sharing for augmented reality applications

    Kimberly Ruth, Tadayoshi Kohno, and Franziska Roes- ner. Secure {Multi-User} content sharing for augmented reality applications. In28th USENIX Security Sympo- sium (USENIX Security 19), pages 141–158, 2019

  45. [45]

    just stop doing everything for now!

    Maha Sajid, Syed Ibrahim Mustafa Shah Bukhari, Bo Ji, and Brendan David-John. “just stop doing everything for now!”: Understanding security attacks in remote collaborative mixed reality. In2025 IEEE Conference Virtual Reality and 3D User Interfaces (VR), pages 623–

  46. [46]

    SAM 3D Team, Xingyu Chen, Fu-Jen Chu, Pierre Gleize, Kevin J. Liang, Alexander Sax, Hao Tang, Weiyao Wang, Michelle Guo, Thibaut Hardin, Xiang Li, Aohan Lin, Jiawei Liu, Ziqi Ma, Anushka Sagar, Bowen Song, Xiaodong Wang, Jianing Yang, Bowen Zhang, Piotr Dollár, Georgia Gkioxari, Matt Feiszli, and Jitendra Malik. SAM 3D: 3Dfy Anything in Images. arXiv:2511...

  47. [47]

    The experience of presence: Factor analytic insights.Presence: Teleoperators & Virtual Environ- ments, 10(3):266–281, 2001

    Thomas Schubert, Frank Friedmann, and Holger Regen- brecht. The experience of presence: Factor analytic insights.Presence: Teleoperators & Virtual Environ- ments, 10(3):266–281, 2001

  48. [48]

    Principled and automated approach for investigating {AR/VR} attacks

    Muhammad Shoaib, Alex Suh, and Wajih Ul Hassan. Principled and automated approach for investigating {AR/VR} attacks. In34th USENIX Security Sympo- sium (USENIX Security 25), pages 4325–4344, 2025

  49. [49]

    That doesn’t go there: Attacks on shared state in {Multi- User} augmented reality applications

    Carter Slocum, Yicheng Zhang, Erfan Shayegani, Pe- dram Zaree, Nael Abu-Ghazaleh, and Jiasi Chen. That doesn’t go there: Attacks on shared state in {Multi- User} augmented reality applications. In33rd USENIX Security Symposium (USENIX Security 24), pages 2761– 2778, 2024

  50. [50]

    What is mixed reality? InProceedings of the 2019 CHI conference on human factors in computing systems, pages 1–15, 2019

    Maximilian Speicher, Brian D Hall, and Michael Nebel- ing. What is mixed reality? InProceedings of the 2019 CHI conference on human factors in computing systems, pages 1–15, 2019

  51. [51]

    A hybrid approach to thematic analysis in qualitative research: Using a practical example.Sage research methods, 2018

    Jon Swain. A hybrid approach to thematic analysis in qualitative research: Using a practical example.Sage research methods, 2018

  52. [52]

    {SoK}: Come together–unifying security, information theory, and cog- nition for a mixed reality deception attack ontology & analysis framework

    Ali Teymourian, Andrew M Webb, Taha Gharaibeh, Arushi Ghildiyal, and Ibrahim Baggili. {SoK}: Come together–unifying security, information theory, and cog- nition for a mixed reality deception attack ontology & analysis framework. In34th USENIX Security Sympo- sium (USENIX Security 25), pages 1475–1492, 2025

  53. [53]

    From immersion to manipulation: Exploring the prevalence of dark patterns in mixed reality

    Angela Todhri and Pascal Knierim. From immersion to manipulation: Exploring the prevalence of dark patterns in mixed reality. InUSENIX Symposium on Usable Privacy and Security (SOUPS), 2024

  54. [54]

    The dark side of perceptual manipulations in virtual reality

    Wen-Jie Tseng, Elise Bonnail, Mark McGill, Mohamed Khamis, Eric Lecolinet, Samuel Huron, and Jan Gugen- heimer. The dark side of perceptual manipulations in virtual reality. InProceedings of the 2022 CHI con- ference on human factors in computing systems, pages 1–15, 2022

  55. [55]

    A comprehensive survey of ar/mr-based co-design in manufacturing.Engineering with Comput- ers, 36(4):1715–1738, 2020

    Peng Wang, Shusheng Zhang, Mark Billinghurst, Xiao- liang Bai, Weiping He, Shuxia Wang, Mengmeng Sun, and Xu Zhang. A comprehensive survey of ar/mr-based co-design in manufacturing.Engineering with Comput- ers, 36(4):1715–1738, 2020

  56. [56]

    The dark side of augmented reality: Explor- ing manipulative designs in ar.International Journal of Human–Computer Interaction, 40(13):3449–3464, 2024

    Xian Wang, Lik-Hang Lee, Carlos Bermejo Fernandez, and Pan Hui. The dark side of augmented reality: Explor- ing manipulative designs in ar.International Journal of Human–Computer Interaction, 40(13):3449–3464, 2024

  57. [57]

    Exploring plausibil- ity and presence in mixed reality experiences.IEEE Transactions on Visualization and Computer Graphics, 29(5):2680–2689, 2023

    Franziska Westermeier, Larissa Brübach, Marc Erich Latoschik, and Carolin Wienrich. Exploring plausibil- ity and presence in mixed reality experiences.IEEE Transactions on Visualization and Computer Graphics, 29(5):2680–2689, 2023

  58. [58]

    Multiple resources and per- formance prediction.Theoretical issues in ergonomics science, 3(2):159–177, 2002

    Christopher D Wickens. Multiple resources and per- formance prediction.Theoretical issues in ergonomics science, 3(2):159–177, 2002. 15

  59. [59]

    Confusing virtual reality with reality–an experimental study.iScience, 28(6), 2025

    Michael Wiesing, Gemma Comadran, and Mel Slater. Confusing virtual reality with reality–an experimental study.iScience, 28(6), 2025

  60. [60]

    SwitchAR: Perceptual Manipulations in Augmented Re- ality

    Jonas Wombacher, Zhipeng Li, and Jan Gugenheimer. SwitchAR: Perceptual Manipulations in Augmented Re- ality. InProceedings of the 38th Annual ACM Sympo- sium on User Interface Software and Technology, pages 1–17, 2025

  61. [61]

    Detecting visual information manipulation attacks in augmented reality: a multimodal semantic reasoning approach.IEEE Trans- actions on Visualization and Computer Graphics, 2025

    Yanming Xiu and Maria Gorlatova. Detecting visual information manipulation attacks in augmented reality: a multimodal semantic reasoning approach.IEEE Trans- actions on Visualization and Computer Graphics, 2025

  62. [62]

    ViD- DAR: Vision Language Model-Based Task-Detrimental Content Detection for Augmented Reality.IEEE trans- actions on visualization and computer graphics, 2025

    Yanming Xiu, Tim Scargill, and Maria Gorlatova. ViD- DAR: Vision Language Model-Based Task-Detrimental Content Detection for Augmented Reality.IEEE trans- actions on visualization and computer graphics, 2025

  63. [63]

    Inception attacks: Immer- sive hijacking in virtual reality systems.arXiv preprint arXiv:2403.05721, 2024

    Zhuolin Yang, Cathy Yuanchen Li, Arman Bhalla, Ben Y Zhao, and Haitao Zheng. Inception attacks: Immer- sive hijacking in virtual reality systems.arXiv preprint arXiv:2403.05721, 2024

  64. [64]

    [Target group] using MR for [activity] at [time/- place] when an attacker [virtual-physical confusion proce- dure], leading to [harm to user / benefit to attacker]

    Xingyu Zhou. Spatial Game Development for Apple Vision Pro Based on Shared Space. Master’s thesis, Worcester Polytechnic Institute, 2024. A Study 1 Supplementary Materials A.1 Workshop Protocol Pre-workshop preparation.Three to four days before each session, participants received a video on representative MR applications [43] and a document on the MR-user...