The Dark Side of Perceptual Manipulations in Virtual Reality

"Virtual-Physical Perceptual Manipulations" (VPPMs) such as redirected walking and haptics expand the user's capacity to interact with Virtual Reality (VR) beyond what would ordinarily physically be possible. VPPMs leverage knowledge of the limits of human perception to effect changes in the user's physical movements, becoming able to (perceptibly and imperceptibly) nudge their physical actions to enhance interactivity in VR. We explore the risks posed by the malicious use of VPPMs. First, we define, conceptualize and demonstrate the existence of VPPMs. Next, using speculative design workshops, we explore and characterize the threats/risks posed, proposing mitigations and preventative recommendations against the malicious use of VPPMs. Finally, we implement two sample applications to demonstrate how existing VPPMs could be trivially subverted to create the potential for physical harm. This paper aims to raise awareness that the current way we apply and publish VPPMs can lead to malicious exploits of our perceptual vulnerabilities.



page 9


Actors in VR storytelling

Virtual Reality (VR) storytelling enhances the immersion of users into v...

Manifest the Invisible: Design for Situational Awareness of Physical Environments in Virtual Reality

Virtual Reality (VR) provides immersive experiences in the virtual world...

ReconViguRation: Reconfiguring Physical Keyboards in Virtual Reality

Physical keyboards are common peripherals for personal computers and are...

"Can I Touch This?": Survey of Virtual Reality Interactions via Haptic Solutions

Haptic feedback has become crucial to enhance the user experiences in Vi...

On VR Spatial Query for Dual Entangled Worlds

With the rapid advent of Virtual Reality (VR) technology and virtual tou...

Security, Privacy and Safety Risk Assessment for Virtual Reality Learning Environment Applications

Social Virtual Reality based Learning Environments (VRLEs) such as vSoci...

Development of a wheelchair simulator for children with multiple disabilities

Virtual reality allows to create situations which can be experimented un...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

A particular direction of research at the intersection of Human-Computer Interaction (HCI) and Virtual Reality (VR) explores techniques that we define as Virtual-Physical Perceptual Manipulations (VPPMs). VPPM refers to Extended Reality (XR) driven exploits that alter the human multi-sensory perception of our physical actions and reactions to nudge the user’s physical movements 111We consider this definition to be one of the outcomes of this paper. It was derived from insights from our workshop and discussions among all the authors. We present this definition early on in our paper (rather than in the results section) to make it easier for the reader to follow. (e.g., the position of body and hands). These techniques are often grounded in some threshold of the human perception (e.g., visual dominance (Posner et al., 1976; van Beers et al., 1999)) and designed to overcome physical limitations of the current VR technology, enabling new types of interaction. Research focuses predominantly on positive intents, either discovering new VPPMs (Lécuyer et al., 2004; Lecuyer et al., 2000; Burns et al., 2005) or presenting positive application scenarios for known VPPMs. For example, redirection techniques are used to provide haptic feedback by changing the user’s arm movement (Kohli, 2010; Azmandian et al., 2016) or to enable a larger play area by steering the VR user’s walking direction (Razzaque et al., 2002; Steinicke et al., 2010).

However, a VPPM technique may vary in terms of prior consent and knowledge, and may also impact the user’s ability to discern whether they are being manipulated. The user may be subjected to manipulation knowingly or unknowingly and the manipulation may or may not be perceptible to the user. Even if a user consents to being manipulated by VPPMs, they might not be aware of the consequences of their physical actions because most VPPMs are designed to be imperceptible to the user (i.e., below the perception threshold). Crucially, regardless of consent or knowledge, the intent behind a VPPM is open to abuse (e.g., disguising an attack as legitimate redirected walking) and may be opaque or covert to the user. This ambiguity, in terms of consent to, awareness of, knowledge of, and intent behind a given VPPM is what gives rise to the significant potential for harm. Nothing is stopping malicious third parties from pursuing unknown, potentially harmful outcomes to the VR user using the perception thresholds published beforehand. The lack of a common definition has lead to a blind spot in research, where VPPMs are proposed and published without due consideration as to their potential for harm.

In this paper, we focus on what is arguably the worst-case scenario — imperceptible VPPMs are applied to the user unknowingly, without consent. In particular, we focus on the potential for harm at an individual level, where one VR user’s physical actions (i.e., body motions) are manipulated to a physically abusive end. We defined this physically abusive outcome as physical harm — an action that causes hurt or damage relating to the VR user’s body. The user is perceptually manipulated into physical action, and they perceive their agency while performing physical actions. Note that we focus on perceptual manipulation as opposed to physical manipulation. This means that approaches that physically manipulate the user through external devices such as Electrical Muscle Stimulation (EMS) (Lopes et al., 2015) and exoskeletons are out of the scope of this paper. We exclude physical manipulations because these systems can physically direct or override the user’s physical actions. Thus the user is implicitly aware of, having consented to this possibility through fitting these devices to their body. Whereas with VPPMs, any physical actions are the result of a reaction to the presented perceptual stimuli, introducing the ambiguity around agency, intent, and consent of applying a VPPM. Based on this definition, we explore what potential physical harm could be provoked to the VR user by manipulating their physical actions through VPPMs, and how malicious actors could potentially abuse VPPMs to provoke physical harm.

The paper explores the risks posed by VPPMs as follows. First, we demonstrate the potential threat of provoking physical harm using VPPMs by presenting a threat model. A malicious actor wants to inflict physical harm on the VR user, and they can compromise the VR system by tricking the VR user into installing malware or a malicious app. Second, to be able to deeper understand these types of threats, we conduct a speculative design workshop using focus groups (Morgan, 1996; Krueger and Casey, 2015). Because the physical harm exploited by VPPMs is a novel phenomenon, our goal is to broadly explore the space and to promote discussion between participants. Using a design workshop (Jungk and Müllert, 1987; Halskov and Dalsgård, 2006; Rosner et al., 2016) helps us to generate ideas and identify problems around the potential impact of the malicious use exploited by VPPMs. We ran the workshop twice. The process of the workshops was video-recorded, transcribed, and coded using thematic analysis (Braun and Clarke, 2006), unveiling 1) classifications of two main classes of attacks (puppetry and mismatching) using VPPMs in VR and 2) the characterization of potential physical harm. Based on this classification of attacks, we present key publications in the HCI and VR community employing VPPMs and note the lack of consideration given to malicious, subversive appropriation of this research. Finally, to demonstrate the process of subverting VPPMs from existing publications in the field of HCI, we implement two sample applications (SteppingOn and HittingFace) based on two prior CHI publications, Haptic Retargerting (Azmandian et al., 2016) and Breaking the Tracking (Rietzler et al., 2018). We use both applications to demonstrate and reflect on our process, showing how concepts from VPPM research could be trivially subverted to inflict malicious harm. We end this paper by discussing routes towards mitigating against, and preventing, malicious use of VPPMs for practitioners and the research community.

This work has three contributions: 1) the definition of Virtual-Physical Perceptual Manipulation (VPPM), classification of attacks, and characterization of physical harm that could be provoked by VPPMs derived by two speculative design workshops (n=8); 2) two applications showing how we can trivially appropriate existing results of VPPM research towards harmful intent; 3) mitigations and preventative recommendations for practitioners and the research community on how to deal with VPPMs in the future.

2. Threat Model

In our threat model, an attacker wants to inflict physical harm on the VR user, and they can compromise the VR system. This can be done, for example, by tricking the VR user into installing malware or a malicious app. Similar to how smartphone spyware can use the affected smartphone sensors (e.g., as done in the Pegasus spyware222, the attacker can access information about the real-world environment around the VR user. This information can be extracted from tracking devices like the front-facing headset camera(s) used for inside-out tracking. The attacker can also exploit the sensors inside the VR headset and the controllers to understand the user’s movement in real-time, or access all the standard APIs that are normally available to VR applications. A sample scenario is that a user is tricked into installing a malicious VR app that contains VPPMs that do not specify their intent and are disguised as a part of the application. The user is thus presented with a VR setup that manipulates them imperceptibly (e.g., walking, reaching objects). Because the attacker has access to information about the user’s motion and the safety boundaries (e.g., Oculus Guardian), the attacker can inflict physical harm on the user through the setup. Examples of harm include tripping, hitting a wall, holding something dangerous, or walking into a dangerous area in the context of accidents (Dao et al., 2021) and bystander abuse (O’Hagan et al., 2021). Such harms may have significant implications on the user including even death (Wilde, 2017).

3. Related Work

Our work builds on prior research in presence, perceptual manipulations, ethics and security in VR.

3.1. VR Technologies and Experiences

VR technologies track the user’s physical actions in a 3-D space using Head-Mounted Displays (HMDs) and controllers, providing stimuli (e.g., visual, auditory, haptic) to enable embodied interactions. Through these technologies, VR elicits strong immersive experiences that allow the user to have a subjective feeling of being present in a virtual environment and act realistically, despite the VR user consciously knowing that the virtual environment does not physically exist. The sense of being in a virtual environment is called presence (Sheridan, 1992; Slater and Wilbur, 1997; Draper et al., 1998) in VR. For example, participants tend to take a longer path on the simulated ground rather than walking over a virtual pit (Meehan et al., 2002). VR users can also feel that the events happening in the virtual environment are real (e.g., plausibility illusion (Sanchez-Vives and Slater, 2005; Slater, 2009)) and that the virtual body parts or even a full-body avatar have become a part of their own (e.g., embodiment illusion (Spanlang et al., 2014)). These illusory states in VR are the outcomes of our perception and do not directly affect our higher cognitive functions (Gonzalez-Franco and Lanier, 2017). Enhancing the immersive experience and presence in VR becomes a common goal for designing new VR interaction or locomotion techniques. The existence of these illusions and the fact that they are working so well, is one of the main reasons why VPPMs can be applied so effortless to a variety of application scenarios.

3.2. Perceptual Manipulations in VR

VR is an excellent platform for applying perceptual manipulation. While VPPMs can apply across the reality-virtuality continuum, we focus on VR because of its greater capacity for inducing an illusion of non-mediation. The simulated content occupies the VR user’s visual sensory input, and VR HMDs block the user’s view of the outside world to enhance immersion. These features allow designers to make use of the visual dominance (Posner et al., 1976; van Beers et al., 1999) and the unawareness of sensory discrepancy (Warren and Cleaves, 1971; van Beers et al., 2002).

Research in HCI and VR develops techniques to manipulate the mapping between virtual and physical environments. Most of the time, they are below the human perception threshold, making them imperceptible. Previous research found that one can induce the pseudo-haptic feedback by controlling the visual input (Lecuyer et al., 2000; Lécuyer et al., 2004) and that VR users are less sensitive to the visual-proprioceptive conflict (Burns et al., 2005). Although there is a difference between the virtual and physical environment, our perceptual system interprets the sensory information from VR, and the brain-body system reacts immediately to perform the physical actions (Gonzalez-Franco and Lanier, 2017).

Practitioners and researchers then start “hacking” human perception to overcome several limitations in current VR systems (e.g., limited tracked space, lack of haptic feedback). A popular example of such technique is redirected walking (Razzaque et al., 2002; Steinicke et al., 2010; Sun et al., 2018), steering the VR user’s physical walking path by interactively and imperceptibly rotating the virtual scene. One can use slow-speed translation/rotation gain below the user’s perception threshold or manipulate the stereo image in a see-through HMD (Ishii et al., 2016) to achieve the effect. Redirected touching (Kohli, 2010) and redirected haptics (Azmandian et al., 2016; Cheng et al., 2017) re-purpose the VR user’s hand to a passive haptic prop by manipulating the visual of the user’s arm or the virtual scene. These manipulations can also be applied to reduce physical movements and fatigue by improving ergonomics in VR (Montano Murillo et al., 2017), changing VR user’s posture unobtrusively (Shin et al., 2020), and inducing a sensation of weight (Rietzler et al., 2018; Samad et al., 2019).

While the aforementioned are applications of VPPMs that had positive intents, VPPMs can also be exploited maliciously to provoke harm on the VR user. The adversaries in that case can be VR developers who intentionally (or unintentionally) manipulate the user’s perception in a way that has harmful consequences. Our method is to articulate how VPPMs in VR can be — and likely will be — abused in the future.

3.3. The Potential Harm and Attacks in VR

VR induces strong sensory feedback on our perception. Previous work discussed the ethical implications of conducting VR research (Behr et al., 2005; Madary and Metzinger, 2016) and of realism in VR and Augmented Reality (AR) (Slater et al., 2020). In our work, we focus on uses of VR that are highly persuasive for benefits (e.g., training), but could also be used for malicious purposes. An example would be to incite a VR user to do something they would not normally do, which in turn leads to harming the VR user.

Through the VPPM techniques, one can change the VR user’s perception of their physical actions. Current VR applications are dominantly achieved through embodied motions for enhancing presence (Usoh et al., 1999). Compared to interaction with desktop or mobile devices, VR involves a larger-scale of 3-D space, which means that the VR user is more likely to encounter physical harm caused by their actions. An example is to elicit the user to sit on a virtual chair that does not have a counterpart in the real world. More examples, like colliding or hitting real-world objects and falling over, have been identified in a recent work on common VR fails that happen to users at home (Dao et al., 2021).

Recently, security researchers started to explore the potential for immersive VR attacks. Casey et al. (Casey et al., 2019), presented a software vulnerability and were able to manipulate the visuals of the safety guardians of an HTC VIVE. Using this, the authors identified what they called the “Human Joystick Attack”, which allows directing an immersed user’s physical movement to a location without the user’s knowledge. This attack falls under one of the five categories we identify in our classification of malicious VPPM use. Our work extends this previous research by understanding the larger class of attacks that could be possible using VPPMs. While the security community started to explore potential vulnerabilities in XR technologies, the current main focus is on finding and closing new factors of attack on the software and hardware (Odeleye et al., 2021; Aliman and Kester, 2020). However, in this work we are not focusing on the technical weak spots but are actually exploring human weak spots. We argue that the HCI community is at the perfect intersection of computer science, psychology, cognitive science and design, to combine knowledge from those fields who are mostly publishing VPPMs.

4. Method: Speculative Design Workshop

Because we want to understand what malicious exploits of VPPM might look like in the future, we refer to methods such as speculative design (Auger, 2013) and design fiction (Markussen and Knutz, 2013). These approaches allow us to both critique current practices and reflect on future technologies and their ethical implications. We broadly explore this space through a speculative design workshop using focus groups (Morgan, 1996; Krueger and Casey, 2015) with researchers and designers. Participants had to a) brainstorm scenarios in which VPPMs can be used to induce physical harm to the VR user; b) identify one (or more) dimension upon which the scenarios from the brainstorming can be contextualized (e.g., the severity of physical harm); and c) rate the relevance of each dimension for studying and preventing future physical harms caused by VPPMs in VR.

4.1. Participants

We used snowball sampling and reached out to people from the mailing list. Eight participants (age: ) were recruited (Table 1). All researchers worked on VR/XR topics, publishing peer-reviewed papers in top-tier conferences like CHI and UIST. To get a more diverse group of people, ideas and perspectives, we additionally recruited participants that identified their work to be dominantly on design rather than on research or development. We argue there is a benefit in having a range of expertise as experts alone may be overly constrained in their thinking based on their knowledge of technical constraints or prior research (Cross, 2004). Therefore it was important to have that blend of expert and non-expert/familiar participants. We also want to clarify that none of our participants were novices in the field of XR. Most of our participants rated their VR expertise to be at least average and mostly above average and expert. Overall, they had at least average and above-average experience with VR (5-point Likert scale, ). We ran the speculative design workshop twice with four participants each time.

[Table 1 indicates the background of participants.]Table 1 indicates the background of participants, including participant ID, gender, profession, and self-described VR expertise. ID Gender Profession VR Expertise W1P1 F HCI researcher expert W1P2 M HCI researcher above average W1P3 M HCI researcher above average W1P4 M XR/HCI designer expert W2P5 M curator/designer below average W2P6 F design researcher average W2P7 F HCI researcher above average W2P8 F graphic/interaction designer average

Table 1. The background of participants. We asked participants to self-describe their profession and VR expertise.

The goal was to explore scenarios using VPPMs to provoke physical harm. With our introduction in the workshop, participants could design a malicious scenario using VPPM. P1, P2, P3, and P7 had a Computer Science background and worked on HCI and VR/XR research. P4 worked as an XR/HCI designer from the industry, who develops VR training platforms for surgeries. P5, P6, and P8 were designers who have a design background working in design research. A designer could think about diverse contexts and consequences of the abusive scenario, and a researcher could deep dive into the technical details if they consider it is necessary. Both workshops included researchers and designers, the first one (W1) was more researcher-focused, and the second one (W2) was more designer-focused. This setup allowed each workshop to enable discussions with different perspectives and elicit valid outcomes.

4.2. Procedure

Figure 1. The steps, tasks and outcomes of the speculative design workshop.

[Figure 1 shows the process, task, and outcome of the workshop.]Figure 1 shows four steps with their tasks and outcomes in the speculative design workshop. We ran two workshop and obtained overall 19 scenarios and 12 dimensions.

Figure 1 shows the structure of our speculative design workshop. The workshop consisted of four steps: instruction, brainstorming, synthesizing, and voting. In the instruction step, we first introduced the VPPMs in VR by presenting examples in HCI and VR research, such as Haptic Retargeting (Azmandian et al., 2016), Body Follows Eye (Shin et al., 2020), and redirected walking (Ishii et al., 2016; Sun et al., 2018). Next, we presented our goal — speculate on the potentially abusive VPPMs that could manipulate the VR user’s body motions to induce physical harm. This part took 15 minutes to complete.

In the brainstorming step, we presented the following assumption: “In 10 to 20 years, VR technology has full body tracking and understands the physiological states of the VR user. People can use VR in open space, and VR application becomes more than gaming and lab experiments. VPPMs are able to manipulate whole-body motions and are imperceptible to the VR user.” Based on this assumption, we introduced the task:

Brainstorming Task: Speculate on a scenario manipulating the VR user’s body motions to provoke physical harm.

Participants had to describe how they use VPPMs to elicit physical actions that provoke physical harm. One restriction in the brainstorming was that the VR user has to perceive agency on their physical actions. We do not consider body motions created by an external device (e.g., EMS or exoskeleton) as VPPMs because the VR user knows the motion is done by the system. Participants had 10 minutes time to brainstorm as many scenarios as they could individually. Afterwards, each participant presented their ideas and discussed it with the other participants (15 minutes).

After participants presented their scenarios, we continued with the third step:

Synthesizing Task: Identify one (or more) specific dimension to position the presented scenarios.

The goal of synthesizing was to understand the potential harm in more detail that could happen using VPPMs. We asked participants to find one or more specific dimension that can be used to position all the presented scenarios on (including the ones from other participants). The goal was to find terms and variables that are helpful to understand the potential harm. One example could be to use “amount of pain” as the variable and position scenarios that create little pain further on the left than scenarios that create more pain. Participants created dimensions individually for 10 minutes and took turns to present their outcomes altogether for 10 minutes.

Finally, in the voting step, we asked participants to rate the relevance of each dimension created in the synthesizing step:

Voting Task: Please rate the relevance of each dimension for studying and preventing future physical harm caused by VPPMs in VR.

The rating was a 5-point Likert scale ranging from strongly irrelevant to strongly relevant. Note that the two workshops had different scenarios and dimensions. The W1 participants rated the dimensions created in W1 and the same for W2. Here we were interested in the consensus of the participants in each workshop. This part took five minutes to complete.

All participants engaged in the discussion during both the brainstorming and synthesizing steps. The discussion allowed participants to collaborate in groups to discuss the scenarios and dimensions they created. Therefore participants worked together to create the outcome. All of them contributed to the question about the potential malicious use of VPPMs (scenarios in the brainstorming step) and the range of the presented scenarios (dimensions in the synthesizing step). Participants worked on miro333 (Last access: 9th Apr. 2021) remotely, and the both workshops lasted two hours. We recorded the brainstorming and the synthesizing steps.

5. Workshop Results

In this section, we first introduce the analysis of the results from our speculative design workshops. Next, the collected data and extracted results (e.g., including the classification of attacks and the characterization of physical harm) are presented. Finally, we summarize the observations from the workshop.

5.1. Data Analysis

Figure 1 (the right column) shows the outcome of each step of the workshop. Participants from the two workshops created 19 scenarios and 12 dimensions. The video footage of the workshops was transcribed and anonymized. The transcripts and scenarios were then iterated and coded by three authors in joint sessions. Participants did not take part in the analysis. We applied thematic analysis (Braun and Clarke, 2006) to investigate the underlying themes of the transcribed data. The coding was always done together in nine sessions, each of which took on average two hours. Several sessions were re-watched during the coding sessions to arrive at a consistent interpretation consisting of categories and general themes. Conflicts were resolved by discussing each individual coding.

5.2. Scenarios

Figure 2 presents 19 scenarios: names, descriptions, techniques used to induce them, and the potential physical harm caused in them. Technique Used and Physical Harm are the codes identified in the thematic analysis. Several scenarios apply redirection techniques to affect the user’s physical movements or actions and bring them to harmful consequences: Magic Maze, Window Game, Bad Surprise, Minecraftish, Danger Food, Getting Robbed, and Catch a Ride. Three scenarios try to break the habituation and trust of using a system to provoke physical harm (Apartment Hack, Falsely Mapped Apartment, Moving Platform). Some scenarios occlude the physical world with virtual content so the VR user is unaware of the physical harm: Getting Robbed, Start a Fight, Safari, Ocean VR. Insult simulator uses game instructions to make inappropriate gestures to insult the bystanders. The rest of the five scenarios are not directly associated with VPPMs. Technical Repair and Warming Down provide false information to induce harm. Spanning the City is a scenario about advertisement in VR. Double Kayaking Simulator does not specify the technique, and Long Lasting Use of VR is about overusing VR. The description of seven selected scenarios are presented in Appendix A as a representation of those using similar techniques.

Figure 2.

An overview of 19 scenarios we collected, including the name, description, technique used, physical harm, and classified attack of each scenario.

[Figure 2 shows an overview of the 19 scenarios elicited from the workshop.]Figure 2 shows the name and description of 19 scenarios. Technique used and physical harm are the code we created in the thematic analysis. The attack column shows the classified attack.

5.3. Classification of Attacks

To find some commonalities and a potential classification of attacks, we applied open and axial coding on the Technique Used that was presented with each scenario (the label that described how participants wanted to achieve the effect). The identified codes were shown in Figure 2, the Attack(s) column. We identified two main classes of attacks: puppetry attacks and mismatching attacks. For the scenarios that did not reach a greater theme, we coded them as miscellaneous. They provided different insights like accidents (S05, S13) or social interaction (S11). Two scenarios (S02 and S19) were coded as unclassified because they were too specific and missed the technical detail. In the following, we focus on the definition of puppetry and mismatching attack and how they are integrated into the scenarios.

Figure 3. We illustrate the attacks by showing the sketching of three selected scenarios. For the color code, the blue outline represents the physical world, pink stands for the virtual content, and green shows how attack works. (a) The VR user is in Magic Maze scenario and thinks they walk along the direction to the physical door (the purple arrow). Malicious actors apply the walking puppetry attack to steer the VR user’s walking direction and make them fall off a stairway. (b) The VR user locates in a fully-mapped apartment (Falsely Mapped Apartment). Malicious actors apply the false-positive mismatching attack to introduce a virtual chair. The user assumes the virtual chair is fully-mapped. So they sit on the chair, but end up falling on the floor. (c) A VR user is playing a zombie game where they have to fight with zombies using bare hands. Malicious actors use the swapping mismatching attack render the virtual zombie over a bystander and makes them start a fight.

[Figure 3 shows three selected scenarios and illustrates the walking puppetry, false-positive, and swapping attacks.]Figure 3 demonstrates the attacks by showing the sketching of three selected scenarios. Figure 3a illustrate the Magic Maze scenario where the VR user walks along the arrow pointing towards the door. Malicious actors apply walking puppetry attack to steer the VR user’s walking direction towards the stair and make them fall off the stairway. Figure 3b shows the scenario Falsely Mapped Apartment. The VR user habituates to a fully mapped room. Malicious actors apply false-positive mismatching attack to introduce a virtual chair, and the user sits on the virtual chair, ending up falling on the floor. Figure 3c shows the scenario start a fight. A VR user plays a zombie game where they have to fight with zombies using bare hands. Malicious actors use the swapping mismatching attack render the virtual zombie over a bystander and makes them start a fight.

5.3.1. Puppetry Attacks

These attacks control physical actions of different body parts of an immersed user. We argue that VPPMs allow controlling different body parts precisely as the technology and research progress. Therefore we use the term “puppetry” to represent the potential impact that this attack could happen on different levels of body parts in the future.

Walking Puppetry Attack

By applying redirected walking VPPMs, the malicious actor can steer the VR user’s walking direction (Figure 3a). The walking puppetry attack was mentioned in several scenarios, including Magic Maze (S03), Window Game (S04), Getting Robbed (S08), Catch a Ride (S09), and Bad Surprise (S17). Participants applied this attack to make a VR user go to a location for provoking potential physical harm (e.g., falling, going to a dangerous area).

Arm-Movement Puppetry Attack

The arm-movement puppetry attack controls the physical actions of the VR user’s arm. Redirected haptic techniques (Kohli, 2010; Azmandian et al., 2016) are the underlying VPPMs. By applying this attack, one can direct a VR user’s hand to interact and break the user’s property (Minecraftish, S12) or to reach a physical object that could be harmful during interaction (Danger Food, S15).

5.3.2. Mismatching Attacks

Mismatching attacks are manipulations in which the adversary exploits a difference of information between a virtual object and its physical counterpart to elicit misinterpretation for the VR user. Here the environment for a VR user is true-positive, where each virtual object has a one-to-one representation in the real world.

False-Positive Attack

In Figure 3b, the false-positive attack creates virtual content that has no physical counterpart (e.g., a virtual chair) in a true-positive environment. The VR user habituates this one-to-one mapping environment therefore they believe the false-positive chair exists in the room. Interacting with these content could lead to physical harm (e.g., sitting on a virtual chair and falling on the floor). Scenarios using the false-positive attack are Falsely Mapped Apartment (S10) and Apartment Hack (S06). They require a perfectly mapped environment and a certain degree of trust from the user towards the VR environment. This trust, most of the time, builds upon how much a VR user is accustomed to the environment or interaction. In fact, the habituation can be achieved through repeating a single task. Once the user is used to the task and starts performing it without conscious attention, a false-positive attack becomes dangerous and impactful.

False-Negative Attack

In this attack, the malicious actor deliberately hides the information from the physical environment. Therefore, the VR user is unaware of incoming dangers. For example, overriding traffic noise (Catch a Ride, S09) makes the user unaware of approaching vehicles, which in turn makes them vulnerable. In Falsely Mapped Apartment (S10), malicious actors provoke collision with the environment by removing an virtual object from a fully-mapped apartment. The false-negative attack could happen when using VR in an open space because the system needs to constantly detect the surroundings. If the attack hides or disguises a physical object (e.g., hiding an opened window), the attacker could make the VR user even fall or jump out of this window (Window Game, S04). Which could even lead to a fatal outcome.

Swapping Attack

The swapping attack happens in the True-Positive situation where each virtual object maps to a physical object. However, the application renders a different virtual image that does not represent the identity of the physical object. Therefore, the VR user believes they are interacting with the virtual one but inadvertently cause physical harm to themselves or to others. In Start a Fight (S07), the bystanders were rendered as the enemy avatars in a fighting VR game, which resulted in the VR user attacking bystanders (Figure 3c).

5.3.3. Reflection on VPPM research and Potential Attacks

While some of the presented scenarios may stretch the imagination, we want to emphasize that for the most part these scenarios already exist in some prior work that started to work towards the potential VPPM and potential abuse. To demonstrate this we selected for every type of attack a few example publications from the field of HCI. We selected publications that were either working towards a VPPM, or presented a new application of VPPMs which could be used to reproduce the work. We want to emphasize that this is by far not an exhaustive list but should only work as en example.

For puppetry attacks, we select seven papers (Razzaque et al., 2002; Steinicke et al., 2010; Ishii et al., 2016; Langbehn et al., 2017, 2018; Sun et al., 2018; Rietzler et al., 2018) in which the walking attack is possible, and four (Kohli, 2010; Azmandian et al., 2016; Rietzler et al., 2018; Samad et al., 2019) in which the arm-movement attack is possible. These publications mainly investigated redirection techniques and are often published at AR/VR conferences such as ISMAR, IEEE VR and UIST. In these papers, there are few hardware requirements (although some do need eye-tracking) and the implementations are described in detail. The thresholds of applying VPPMs are also provided in these publications. For mismatching attacks, we selected the following publications (false-positive: (Cheng et al., 2019; Yang et al., 2019; Lindlbauer and Wilson, 2018), false-negative: (Hartmann et al., 2019; Lindlbauer and Wilson, 2018), swapping: (Simeone et al., 2015; Hettiarachchi and Wigdor, 2016; Shapira and Freedman, 2016)). Among the selected publications, only Optical Marionette (Ishii et al., 2016) mentioned the safety concern of manipulating the user’s walking in the real world. There is a lack of consideration given to malicious, subversive appropriation of VPPM research.

5.4. Characterizing Physical Harm

In the synthesizing step, we asked participants to identify one (or more) specific dimension to position the presented scenarios. We report two dimensions (severity of physical harm and perceived agency) that received the highest score in the voting step of each workshop. Note that each workshop had a different output of scenarios and dimensions. Therefore, the consensus of the voting is within each workshop. Finally, we report on our last analysis of characterization of the physical harm we found in the workshop.

Severity of the Physical Harm

Overall, 16 instances of physical harm were mentioned, in which falling and punching each appeared four times. The severity of the physical harm is the most reported dimension in the synthesizing step (6 out of 12 dimensions). We interpret severity as how bad the physical harm can be on a VR user and can the VR user recover from the given physical harm. Figure 4

a, from the left, the physical harm is a low, brief moment of discomfort (e.g., eyestrain, falling, punches). From the right, the physical harm becomes more unrecoverable (e.g., broken teeth, get driven over), and the extreme form of severity is death.

Perceived Agency

The Perceived Agency (D2) is one of the dimensions reported by participants in the synthesizing step (Figure 4b). The Perceived Agency is to what degree VR users consider the harm is caused by themselves. No agency means the VR user interprets the system (or application) caused the physical harm. For instance, If a user finds out the system blocks all the auditory information from outside but does not maneuver this setting, he perceives no agency in this case. On the other hand, full agency means VR users perceive the harmful consequence is done by themselves. The implication from the perceived agency dimension is whether a VR user falls into the same trick again. Nevertheless, because the VPPM’s manipulation may or may not be perceptible, a malicious exploit of VPPM can hide their maneuver on the user and make them blame themselves.

Figure 4. We reported two dimensions selected from the synthesizing step. (a) Severity of the Physical Harm shows how bad physical harm can be and can a VR user recover from the given harm. This dimension varies from mild pain and discomfort (e.g., eyestrain, cramp) to the extreme case (e.g., drowning, get driven over). (b) The Perceived Agency indicates to what degree a VR user considers that the physical harm (or consequence) is caused by themselves.

[Figure 4 shows two dimensions created in the synthesizing step, severity of physical harm and perceived agency.]Figure 4a shows the dimension, severity of the physical harm, varies from little pain and discomfort (e.g., eyestrain, cramp) to the extreme harm (e.g., drowning, get driven over). Figure 4b illustrates the dimension, perceived agency. This dimension shows to what degree a VR user believe the physical harm or the consequence of the interaction is caused by themselves.

The Origin of Harm Created

Similar to how we coded the Technique Used to classify types of attacks, we now coded Physical Harm to find a classification of harm.

We find in the dimension of severity that physical harm can be caused by the user (e.g., fall down into stairway) or by others (e.g., someone punches the VR user). This was also mentioned in the origin of physical harm done (D6) in the synthesizing step. Therein, participants described who committed the physical harm in each scenarios. We extend this concept in our coding process and present a 2 2 matrix (Figure 5) to categorize physical harm by 1) VR user provokes/receives the harm and 2) is the other party an organism or non-organism.

Scenarios with the gray background fit into two quadrants at the same time. Because our task focused on inducing physical harm to the single VR user, most scenarios locate in the quadrant of receiving harm from non-organism (e.g., falling down a stairway, get driven over a car). Although we asked participants to create physical harm related to the VR user’s body, damage to non-organism still came up during the workshop. For example, hitting furniture, breaking personal property by throwing them. We categorize these property damages into VR user provokes harm to non-organism. The VR user also provokes physical harm to organism (e.g., punching bystanders in Start a Fight, throwing a pet in Minecraftish). Finally, the VR user can also get hurt from organism. An example would be get stabbed in Get Robbed or bitten by wild animals in Safari. This matrix indicating physical harm could be extended to more than one VR user in the future.

Figure 5. The matrix categorizes the physical harm by 1) VR user provokes/receives the physical harm and 2) whether the other party is an organism or non-organism. Scenarios with the gray background fit into two quadrants.

[Figure 5 describes a categorization of physical harm, the origin of harm created.]Figure 5 describes a categorization of physical harm, the origin of harm created. We categorize the physical harm by whether a VR user provokes/receives the physical harm and whether the other party is an organism or non-organism. Scenarios with the gray background fit into two quadrants.

5.5. Observations from the Workshop

Among all the scenarios, seven (7/19=37%) of them applied puppetry attacks as a part of the technique used to provoke physical harm to the VR user. The puppetry attack was several times combined with mismatching attacks (e.g., Catch A Ride: false-negative + walking puppetry) and easier to apply and deploy in VR applications. Therefore, they have the potential to become of the first archetypes of malicious attacks using VPPMs.

Game Mechanisms and Narratives

Most scenarios applied some form of narratives and game mechanics to bring the user into the context of VR. Using enriched narratives is associated with increased presence (Weech et al., 2020). Current gaming applications in VR have already “remote-controlled” the VR user’s physical actions through the game design. For example, VR rhythm games make the user do dancing poses originating from the song (VR Fitness Insider, 2018), or players have to maintain different poses by putting their head and hands in the right spot, which can be dabbing, lunges, squats, or even choreography (e.g., OhShape (Lab, 2020)). Because the VR user is immersed in the game and unaware of what their physical actions represent in the real world, malicious actor can make them do inappropriate posture to confront bystanders as described in Insult Simulator.

Habituation and Trust

In a discussion during W1, P2 mentioned, “because I believe any application we are talking about right now here requires a degree of trust.” This trust in a VR application (system) can be built by the habituation to the environment or interaction. An example would be Falsely Mapped Apartment where the VR user is used to a fully mapped place. Malicious attacks remove or add a virtual object at one point to break this habituation and trust in the system. Another example is Moving Platform where the user interacts with a haptic display, and suddenly the system stops (accidentally or deliberately) to provoke physical harm. The VR user gets used to the interaction and is fully committed to the action they are doing. Then comes the moment to break the habituation and provoke physical harm.

6. Demonstrating the Potential for VPPM harm

The workshop illustrates the significant scope and scale of physical harm potentially enabled by VPPMs. However, it would be easy to write off many of these attacks as infeasible or impractical since our main method was grounded in speculative design and workshops.

To demonstrate that the potential for physical harm related to VPPMs is both plausible and pressing, we introduce two implementations of VPPM concepts. These implementations are grounded in two recent publications from CHI (Azmandian et al., 2016; Rietzler et al., 2018). We deliberately choose two publications from our community to emphasize the responsibility we carry when creating such techniques. Our two implementations are meant to demonstrate that with the information from the paper and some basic computer science knowledge, we were able to create two applications that are using the puppetry and mismatching attacks. These two applications could potentially be uploaded to open stores such as SideQuest and cause a certain amount of harm to the current early adopter population of VR technology. While they could be counteracted with simple additions to the publication process or platform-level mitigation (see section 7, Mitigations and Countermeasures), these are currently not in place. The existence of these current weak spots should be an additional call to action to platform developers and markets. Two applications (SteppingOn and HittingFace) are mainly leveraging the predominant form of VPPM (puppetry attack) exemplifying how VPPMs can be easily subverted and provoke physical harm to the VR user.

Figure 6. (a) The SteppingOn setup has one physical and three virtual stairs. The application redirects the VR user to match the stepping feedback on the physical stair while (b) walking back and forth for collecting apples. (c) The application randomly turns off redirection to create a missing step.

[Figure 6 illustrates the application, SteppingOn, that redirects a VR user towards a missing step, provoking falling over.]Figure 6a shows the setup of SteppingOn. A VR user is redirected towards the same physical stair while stepping on three different virtual stairs to collect apples as fast and as many as possible. Figure 6b shows the application applies redirection technique when the VR user turns back to put the apple inside a basket. Figure 6c illustrates that at one point the application stops the redirected walking so that the user deviates from the physical stair and provokes a missing step.

6.1. SteppingOn: Provoking Missing Steps Using Redirected Walking

SteppingOn enables the haptic feedback of stepping on a stair to collect virtual items in VR. The setup (Figure 6a) contains one physical stair functioning as a prop in the real world to support the haptic feedback of three virtual stairs in VR. The user has to walk towards the three virtual stairs to pick apples from the trees and return to the original point to put the apple at a certain position in VR (Figure 6b). SteppingOn always redirects the user toward the same physical stair while having the impression of visiting a different virtual stair each time. When the user drops an apple and turns their head to go back to the stairs, we rotate the VR scene. The rotation of the scene is imperceptible. Once the virtual stair aligns with the physical one, we stop rotating to prevent the alignment from being exceeded. Finally, we add two game mechanics (score and time limit) to make the user commit to grab the apples and climb the stairs. The user must collect as many apples and as fast as they can.

During the game, the application randomly turns off the redirection so that the user deviates from the targeted physical stair and makes a missing step (Figure 6c). This effect is similar to the moment when climbing stairs, where we think there is one more tread, but we are already standing at the landing, therefore, making an additional step. The missing step effect sometimes triggers small forms of a stumble and can be easily increased using a higher stair. The setup was inspired by Haptic Retargeting (Azmandian et al., 2016) and the concept of redirected walking (Razzaque et al., 2002).

Figure 7. (a) A VR user tests several baseball caps on his avatar in VR. (b) The concept of HittingFace is to change the offset between the virtual and physical movements while the user moving the controller closer to the HMD. (c) Because of the trajectory of the controller changes during the movement, HittingFace is able to provoke collision.

[Figure 7 shows the concept of HittingFace, where the application increases the offset between the virtual and physical position of the controller, provoking a collision with the headset.]Figure 7a shows a VR user is testing several baseball caps. Figure 7b shows that the application changes the offset between the virtual and physical movements while the user moving the controller closer to the headset. Figure 7c demonstrates that the trajectory of the controller changes abruptly during the movement. The VR user follows the visual in VR, moving their controller closer towards the headset and provoking a collision.

6.2. HittingFace: Changing the Trajectory of Controller Movement to Provoke Collision with the HMD

HittingFace is a short example application that manipulates the trajectory of hands by adding an offset between the virtual and physical position of the controller to provoke collision between the controller and HMD. Figure 7a shows the scenario of HittingFace where the VR user puts on different baseball caps on their avatar to test their outfit. When the user selects a cap with controller, the application records the controller position () as the starting position (). Next, we calculate as an indicator of how close the controller and the headset are. When the VR user puts on the baseball cap in VR, the controller is closer to the HMD. We add an offset to the the direction of facing-forward. The application increases the offset abruptly, shifting the visual of controller away from the real one. Then the VR user moves the controller even closer to the HMD (Figure 7b), provoking collision in Figure 7c. This application was inspired by Breaking the Tracking (Rietzler et al., 2018) that simulates the feedback of weight in VR by using perceptible tracking offsets.

6.3. Reflection

We started by defining the physical harm we wanted to provoke (e.g., fall, collision with the HMD). Next, we were thinking about incorporating physical harm into the physical movements and some game mechanics. Inspired by habituation, the applications exploit the manipulations after the user becomes familiar with the interaction. At one point, the applications start to nudge the user’s physical movement (e.g., walking direction, hand movement trajectory) and provoke the physical harm we chose. Implementing these sample applications (SteppingOn and HittingFace) shows how current concepts from VPPM research can be trivially subverted.

We did not evaluate both applications due to the high risk of hurting participants. The implication of presenting both applications is to show how easy it can be to subvert an existing VPPM to provoke physical harm. Both demonstrations may seem easy to counter. An example would be detecting the discrepancy between the virtual and physical movements as a threshold to stop a VPPM technique. However, the malicious use of VPPMs and its countermeasure are both unexplored spaces for researchers and practitioners currently. The goal of the two applications is to raise awareness and initiate discussions in the HCI and VR communities. We further discuss mitigations and preventative recommendations for the malicious use of VPPMs from the end-user to the platform level in section 7.

7. Mitigations and Countermeasures

We have discussed the potential attacks, physical harm, and how to provoke them using VPPMs. In this section, we reflect on mitigations and preventative recommendations against the malicious use of VPPMs for practitioners and researchers.

Awareness and Consent of VR Users

When applying VPPMs, the user may be subjected to manipulation knowingly or unknowingly, and the manipulation may or may not be perceptible to the user. This notion is one possibility of how malicious actors hide their intention and provoke physical harm to the VR user. Given this, it would be reasonable to suggest future VR applications using VPPMs should at-a-minimum disclose that such an approach is being used and particularly the intent behind its usage.

Where a VPPM might be particularly risky or open to abuse, we would suggest it should be described to the user in sufficient detail to seek informed consent for applying such manipulations and perceptual hacks. For example, applications should be transparent about what kinds of actions are manipulated using VPPM, how these actions are represented, and the possible effects on VR users (Brey, 1999, 2014). At the same time, VR users are freely able to select different levels of deception provided by VPPMs (Slater et al., 2020). This concept originates from reducing the realism of an XR application if a user only wants to try a little taste of the virtual environment. By providing this option, VR users can voluntarily choose to what degree they want to be manipulated by VPPMs if they feel comfortable with the manipulation. Applications using VPPMs also need to respect the VR user’s right to withdraw anytime by providing an opt-out option for stopping the VPPM technique (Benford et al., 2012; Slater et al., 2020).

Validation / App Store Protections

App platforms (e.g., Steam, Oculus Store, SideQuest) also need to verify what type of and how much VPPM is used in an application. In the same way that malicious actors have access to reference implementations and perceptual thresholds, so do the platforms that profit off of selling XR applications and experiences. Thus we assert the responsibility should, in part, fall on their shoulders to seek out ways to detect the presence of such manipulations in applications that they provide. In the long run, these platforms should build a standardized rating system for induced contents (Wilson and McGill, 2018; Spiegel, 2018) and VPPMs as additional information for end-users.

Platform-Level Mitigations: Provision and Detection

We anticipate that platform-level APIs (e.g., OpenXR444 could provide access to safe, permitted, and validated VPPMs that tie into mechanisms for awareness and consent. An example would be an OpenXR software library of redirection techniques that could prevent malicious implementations.

Considering the pipeline of AR/VR technology, a device requires sensing the raw data, extract information for the recognition of high-level semantics, and rendering on top of the HMD (Roesner et al., 2014). Platforms could implement low-level protections against the unpermitted usage of VPPMs in the sensing and rendering. For example, the discrepancy between virtual and physical movements could be monitored (Lebeck et al., 2016, 2017). If the physical movement deviates significantly from the virtual movement, this could reveal some types of VPPM (e.g., the gain-type ones). Similarly, one could imagine the platform detects the dangerous overlap between virtual contents and the physical environment. An example would be a virtual target overlaid on a physical lamp, which sounds like a risk of non-organism damage. This type of mitigation can be a part of reality-aware headsets where the virtual and physical context needs to be considered in making the experience safer for users.

Lastly, on the device level, one can apply permission-based security with access control lists (Barrera et al., 2010). Therefore a VR system may prevent a malicious third-party application from abusing access to the sensory data. For example, blocking the access to the captured image of cameras to avoid incorporating bystanders as an enemy avatar in Start A Fight.

Community-led Regulations and Guidelines

In time, we would expect that regulations could be formed around our proposed mitigations and preventative measures. There are a number of routes that could accomplish this. Most immediately, we propose such regulation could be formulated by not-for-profit organizations in this space (e.g., XRSI555, creating voluntary guidelines that could guide the actions both of app platforms and app developers (Pearlman, 2020). Eventually, one could imagine firmer legal protections being put in place. An example would be an equivalent of GDPR666 such as an extended reality protection regulation (XRPR) that would include the right to perceptual integrity. As recent works discussed on human rights of neurotechnology (e.g., (Yuste et al., 2017, 2021), and The NeuroRights Foundation777, XRPR also has to include the right to agency and consent to choose one’s own actions while using VPPMs.

The Role of the Research Community: Anticipation and Disclosure

VPPMs offer obvious advantages to interaction design and locomotion in particular, having been repeatedly pursued by research. Consequently, the implementation details of VPPMs and the perception thresholds found are open to everyone. However, this information is also available to malicious actors. This early insight gives malicious actors the chance to abusively exploit published results and concepts, for example, using VPPMs to enact harmful consequences on VR users. Fundamentally, the current way we apply and publish VPPMs is hacking human perception. We consider this hack as exposing a weak spot of our perceptual vulnerabilities. One can provide patches to fix the software backdoor, as we have previously discussed, but there is no patch to fix the hack of our perception directly.

In our view, these risks necessitate a change of approach regarding how we disseminate novel research related to VPPMs. We suggest that the research community should publish VPPM with the potential threats/risks in mind. The community should consider the perceptibility of a given VPPM instead of only optimizing for presence, immersion, and other usability measurements (e.g., performance). This approach would ensure one could apply VPPM always above the perception threshold during VR interaction, allowing VR users to know they are interacting with a certain degree of manipulation. This idea is already starting to get explored in the field of locomotion. Rietzler et al. (Rietzler et al., 2018) proposed using perceptible thresholds to reduce the space requirement for redirected walking, which could also benefit a transparent usage of VPPM. Finally, we suggest if a VPPM publication has the potential to enable abusive outcomes (e.g., if it has the potential to facilitate one of the attacks identified herein), then the author(s) should include discussion regarding the potential threat/risk posed at-a-minimum.

8. Discussion

Our goal with this paper was to start the first exploration into how dangerous current VPPMs could become in the future. While we are able to observe current applications of VPPMs, we needed to apply speculative design methods to try to predict how these current VPPMs could be subverted in the future. Applying this method allowed us to present a definition of VPPMs and a set of speculative scenarios which we used to derive a classification of attacks and gain a better understanding of the characteristics of the potential harm arising from the VPPMs. We identified five potential attacks (puppetry: walking, arm-movement; mismatching: false-positive, false-negative, swapping), a categorization of harm (provoke/receive matrix), and two variables that participants found particularly important when thinking about VPPMs (severity of physical harm and perceived agency).

Physical harm is a novel problem that arises at the intersection of HCI, XR, and Security/Safety research. This unique combination aims at using methods from security research, combined with insights from HCI which are then applied to applications in XR. Additionally, XR may become an “ideal” platform to abuse perceptual vulnerabilities and manipulate the user’s motion. The ability to manipulate the VR user’s physical movements and actions could have way more impact than only hitting a piece of furniture.

Pursuing positive outcomes (e.g., speed, accuracy, enjoyment) is usually a common goal for HCI research. VPPMs help in overcoming the limitations of VR technologies. They also expose a weak spot of VR users who are particularly vulnerable because of losing connection with the real world. Our intention is to raise the awareness that the interaction design in VR using VPPMs could be used for malicious intention as well. Although examples shown in the applications may be easily thwarted, this is currently not the case because VPPMs are mostly used inside research. Meanwhile, it is necessary to ensure that developers are aware of these potential attacks and that they take measures to prevent or mitigate them. We want to emphasize the importance of the safety and security of the VR user, with a particular focus on physical harm done by human perception hacking. To our best knowledge, we are the first to establish the term, organize the knowledge in this domain, and lay out suggestions on how to deal with VPPMs (i.e., section 7).

8.1. Limitations

Our work encounters a methodological situation known as the Collingridge dilemma888 The malicious use of VPPMs cannot be easily predicted until they are extensively developed and widely used. However, at the point we can do that, the control or change to affect the usage of VPPMs is difficult because the technology has become entrenched. Therefore, we chose speculative design as our approach to both critique current practices, and reflect on future technologies and their implications.

The resulting scenarios show the possibilities of potential harm exploited by VPPMs. Using a speculative design workshop allows us to broadly explore this space. However, one outcome that we are not able to assess with the current method is the likelihood of malicious attacks using VPPMs and the occurrence of physical harm in the everyday usage of VR. Nonetheless, surveying the in-the-wild VR phenomena (e.g., VR fails (Dao et al., 2021) or interactions between VR users and bystanders (O’Hagan et al., 2021)) could provide one route towards early detection of these attacks happening in practice, and such research would be aided by our findings.

Our participants were from HCI research and design research background. The resulting scenarios were more interaction design research oriented. We did not interpret the results depending on the participant’s expertise because participants collaborated during the workshop to create outcomes (scenarios, dimensions). VPPMs are mainly used inside research currently. Therefore inputs from our participants are valid because it reflects on how research communities perceive the malicious use of VPPM and how we can mitigate it in the future. However, we acknowledge that our current results show only one perspective of the malicious use of VPPMs. Future research should consider similar studies and experiments with people from the safety and security area, technical VR/XR, and dark design patterns to provide in-depth technical details in this direction.

8.2. Future Work

Our work is a first exploration into a topic that could potentially grow exponentially in its risk at the moment when we have always-on XR devices. Based on our current findings, we open the door to further research into the malicious potential of perceptually manipulating users in the context of XR.

Intent beyond Physical Harm

Currently, this paper focus on the physical harm, but we want to point out that the malicious user of VPPMs could accomplish more than ‘just’ provoking physical harm. The realism of VR technology can induce certain behavioral changes (e.g., given the virtual representation in VR, users with taller avatars negotiated more aggressively than users with shorter avatars (Yee et al., 2009)). Slater and colleagues (Slater et al., 2020) discussed the psychological realism of AR/VR and its possible impact on the user. In both workshops, participants (P2 and P5) mentioned the possibility of exploiting psychological harm to the user (e.g., VR application introduces a phobia to the VR user and make them forever be afraid of using an HMD). Unlike perceptually manipulating the physical movements, the psychological harm cannot only provoke immediate effect and reaction but also the long-term impact (e.g., trauma or phobia).

Harm beyond the VR User, and the Here-and-Now

Although we focus on provoking harm to one VR user, malicious attacks could easily go beyond that. We already find some examples in our workshops. For instance, Start a Fight (S07) renders bystanders as enemies in VR and makes the VR user punch them or vice versa. The other example is Minecraftish (S12) that the VR user throws an object at pedestrians. In the results of synthesizing step, P3 presented the social involvement dimension (D5) that starts with “harm yourself” to “harm others”. Harm others could be exploited in several ways such as hitting bystanders (S07), insulting people (S11), or let others watch the VR user suffering or even dying (S04 and S09). The target of malicious actors varies from a VR user, multiple VR users, bystanders, to objects and organisms in the environment. VPPMs could also be used to create the circumstances for harm in the future, e.g., using the VR user to manipulate elements in the physical environment that might cause harm to bystanders later. We have examined only a narrow scope of the potential harms that could be made possible by VPPMs in the future, and suggest consideration be given to further understanding multi-user VPPMs, harm beyond the VR user, and creating the circumstances for harm beyond the VR session.

Challenges of VPPMs in AR and XR

We anticipate that researchers and practitioners can also apply VPPMs to AR and XR in the future. As an example, Optical Marionette (Ishii et al., 2016) applied redirected walking on video see-through HMDs. In video see-through HMDs, malicious actors are still able to apply both puppetry and mismatching attacks since they still have full control over the visuals of the user. However, when using optical see-through HMDs (e.g., deceptive holograms (Lebeck et al., 2018)), applying puppetry attacks becomes more challenging because the user can observe their physical movements at the same time. Future VR, AR, and XR technologies would allow the user to break free the static play space towards moving around freely in the world. The safety risk may be amplified, and mismatching attacks are still able to trick the user (e.g., substitute the virtual and physical content on video/optical see-through HMDs to provoke falling over). Future research could continue to explore the novel attacks using VPPMs in this direction, understanding the common attacks shared across XR devices.

Broadly, whilst it would be understandable if there was still some scepticism regarding the prescience of the risks posed by VPPMs, it is our view that we have only just begun to understand the extent to which XR users are exposed to risks through these techniques. As XR technology and its requisite sensing grow in capability, so too will a malicious actors ability to exploit this technology for harmful intent. Consequently, it is paramount that research to this end be considered and acted upon before real harm is inflicted upon real users.

9. Conclusion

In this paper, we define VPPM as XR-driven exploits that alter the human multi-sensory perception of our physical actions and reactions to nudge the user’s physical movements. Through speculative design workshops, we collect a set of harmful scenarios using VPPMs, identify two main classes (puppetry and mismatching) of potential attacks, and characterize physical harm. Two sample applications (SteppingOn and HittingFace) are implemented as an demonstration to show how current concepts from VPPM research can be trivially subverted. Finally, we propose platform-level mitigations and preventative recommendations for practitioners and researchers against the malicious use of VPPMs. Our work opens new research directions at the intersection between HCI, XR, and security research. We want to raise awareness that the current way we apply and publish VPPMs can lead to malicious use of our perceptual vulnerabilities. We consider the current practice provides a dangerous leak of human perceptual weak spots — human perception thresholds that cannot be patched — which can be used by future malicious actors. Overall, we argue that VPPMs do have the potential to be misused to provoke physical harm in the future and HCI as an academic discipline should become more cautious publishing such work and also reflect on the potential for abuse.

This work was partially conducted within the HARMFULVR JCJC project (ANR-21-CE33-0013) funded by French National Research Agency (ANR). We appreciate all the anonymous reviewers for their advice to improve this paper, and we thank the workshop participants for their contributions and time.

Appendix A Descriptions of Selected Scenarios

[Magic Maze (S03), exploits: redirected walking, physical harm: fall]

Magic Maze is an application where the VR user explores a virtual maze in their apartment or a building. The application applies redirected walking to the VR user to control their walking direction in this space. As the application steers the VR user towards a stairway, they are unaware of the height difference and fall.

[Start a Fight (S07), exploits: swapping, physical harm: punch other, get punched]

In this scenario, a VR user plays a game in a public space where the goal is to fight enemies. The VR application detects bystanders in the real world and maps the enemy’s avatar onto bystander so that the VR user punches them. This would result in harm to bystanders and potential harm for the users.

[Getting Robbed (S08), exploits: redirected walking, physical harm: get robbed, stabbed]

Getting Robbed shows that a VR user is in a game like Pokemon Go and needs to walk around in VR to collect items. The items are located in dangerous places in the real world, and all the physical surroundings are replaced by the virtual game view. This results in a practically blindfolded user walking and not knowing where they are headed. This will then be abused once the victim was lured into a dangerous area (e.g., being robbed or physically attacked in an alley).

[Catch a Ride (S09), exploits: redirected walking, overplay audio feedback, physical harm: get driven over]

Catch A Ride is where a VR user is immersed in a VR game at an open space. The game has loud audio feedback that can overplay the sound from the real world. The game redirects the user onto an open road so they get hit by a car since they are not able to see or hear the traffic noise.

[Falsely Mapped Apartment (S10), exploits: remove or add virtual object in an one-to-one mapped environment, physical harm: fall or collision]

In this scenario, a future VR technology allows users to re-create a fully-mapped apartment in VR. The VR user can touch anything and sit anywhere as they do in the real world, believing that this mapping matches their real world home. The user habituates to this environment as each real-world object is mapped to a VR one. Malicious actors may exploit this by adding or removing virtual objects. Adding VR objects may result in injuring the user by, for example, sitting on a VR chair that has no physical counterpart. Similarly, removing VR objects may result in collisions with real-world objects, such as real-world tables that do not have counterparts in VR. The idea in this scenario is to first make accustomed to having a one-to-one mapping between the virtual and the real world and trust that this is the case, and then introduce/remove objects to unexpectedly break this mapping.

[Insult Simulator (S11), exploits: game mechanics, physical harm: insult bystanders, get punched]

In this scenario, the VR user plays a game in an open space where people are around, and the game mechanics lead the user to perform physical actions that appear insulting for onlookers without enough context. In an illustrated example by our participants, a user follows the narratives in VR to reach out with bare hands but may seem like they are performing a Nazi salute from outside. A bystander that does not know what the VR user is doing may feel insulted/offended as a result.

[Minecraftish (S12), exploits: redirected haptics and swapping, physical harm: throwing objects at others]

Minecraftish is another scenario that uses redirected haptics to make the VR user grab a real-world object that they think resembles a counter part in a Minecraft-style VR game. The application can access information captured by the VR headset, and at some point, it redirects the VR user to grab an object (or a pet) resembling the virtual content in the environment. Because the VR user thinks they are doing the task in VR and do not perceive the difference, they stack up or even throw a potentially harmful object (e.g., hot drink or sharp object) outside the window and hit pedestrians. The physical harm in this scenario affects the personal objects or other organisms (e.g., pet, bystander) in the environment.


  • N. Aliman and L. Kester (2020) Malicious design in aivr, falsehood and cybersecurity-oriented immersive defenses. In

    2020 IEEE International Conference on Artificial Intelligence and Virtual Reality (AIVR)

    Vol. , Utrecht, Netherlands, pp. 130–137. External Links: Document Cited by: §3.3.
  • J. Auger (2013) Speculative design: crafting the speculation. Digital Creativity 24 (1), pp. 11–35. Note: Publisher: Routledge _eprint: External Links: ISSN 1462-6268, Link, Document Cited by: §4.
  • M. Azmandian, M. Hancock, H. Benko, E. Ofek, and A. D. Wilson (2016) Haptic Retargeting: Dynamic Repurposing of Passive Haptics for Enhanced Virtual Reality Experiences. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems, CHI ’16, San Jose, California, USA, pp. 1968–1979. External Links: ISBN 978-1-4503-3362-7, Link, Document Cited by: §1, §1, §3.2, §4.2, §5.3.1, §5.3.3, §6.1, §6.
  • D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji (2010) A methodology for empirical analysis of permission-based security models and its application to android. In Proceedings of the 17th ACM conference on Computer and communications security, CCS ’10, New York, NY, USA, pp. 73–84. External Links: ISBN 978-1-4503-0245-6, Link, Document Cited by: §7.
  • K. Behr, A. Nosper, C. Klimmt, and T. Hartmann (2005) Some Practical Considerations of Ethical Issues in VR Research. Presence: Teleoperators and Virtual Environments 14 (6), pp. 668–676. External Links: Link, Document Cited by: §3.3.
  • S. Benford, C. Greenhalgh, G. Giannachi, B. Walker, J. Marshall, and T. Rodden (2012) Uncomfortable interactions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2005–2014. External Links: ISBN 978-1-4503-1015-4, Link Cited by: §7.
  • V. Braun and V. Clarke (2006) Using thematic analysis in psychology. Qualitative Research in Psychology 3 (2), pp. 77–101. Note: Publisher: Routledge _eprint: External Links: ISSN 1478-0887, Link, Document Cited by: §1, §5.1.
  • P. Brey (1999) The ethics of representation and action in virtual reality. Ethics and Information Technology 1 (1), pp. 5–14 (en). Note: Company: Springer Distributor: Springer Institution: Springer Label: Springer Number: 1 Publisher: Kluwer Academic Publishers External Links: ISSN 1572-8439, Link, Document Cited by: §7.
  • P. Brey (2014) Virtual Reality and Computer Simulation. In Ethics and Emerging Technologies, R. L. Sandler (Ed.), pp. 315–332 (en). External Links: ISBN 978-1-137-34908-8, Link, Document Cited by: §7.
  • E. Burns, S. Razzaque, A. T. Panter, M. C. Whitton, M. R. McCallus, and F. P. Brooks (2005) The hand is slower than the eye: a quantitative exploration of visual dominance over proprioception. In IEEE Proceedings. VR 2005. Virtual Reality, 2005., Bonn, Germany, pp. 3–10. Note: ISSN: 2375-5334 External Links: Document Cited by: §1, §3.2.
  • P. Casey, I. Baggili, and A. Yarramreddy (2019) Immersive Virtual Reality Attacks and the Human Joystick. IEEE Transactions on Dependable and Secure Computing 18 (2), pp. 1–1. Note: Conference Name: IEEE Transactions on Dependable and Secure Computing External Links: ISSN 1941-0018, Document Cited by: §3.3.
  • L. Cheng, E. Ofek, C. Holz, and A. D. Wilson (2019) VRoamer: Generating On-The-Fly VR Experiences While Walking inside Large, Unknown Real-World Building Environments. In 2019 IEEE Conference on Virtual Reality and 3D User Interfaces (VR), Osaka, Japan, pp. 359–366. Note: ISSN: 2642-5254 External Links: Document Cited by: §5.3.3.
  • L. Cheng, E. Ofek, C. Holz, H. Benko, and A. D. Wilson (2017) Sparse Haptic Proxy: Touch Feedback in Virtual Environments Using a General Passive Prop. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, CHI ’17, Denver, Colorado, USA, pp. 3718–3728. External Links: ISBN 978-1-4503-4655-9, Link, Document Cited by: §3.2.
  • N. Cross (2004) Expertise in design: an overview. Design Studies 25 (5), pp. 427–441 (en). External Links: ISSN 0142-694X, Link, Document Cited by: §4.1.
  • E. Dao, A. Muresan, K. Hornbæk, and J. Knibbe (2021) Bad Breakdowns, Useful Seams, and Face Slapping: Analysis of VR Fails on YouTube. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, CHI ’21, New York, NY, USA, pp. 1–14. External Links: ISBN 978-1-4503-8096-6, Link, Document Cited by: §2, §3.3, §8.1.
  • J. V. Draper, D. B. Kaber, and J. M. Usher (1998) Telepresence. Human Factors 40 (3), pp. 354–375 (en). Note: Publisher: SAGE Publications Inc External Links: ISSN 0018-7208, Link, Document Cited by: §3.1.
  • M. Gonzalez-Franco and J. Lanier (2017) Model of Illusions and Virtual Reality. Frontiers in Psychology 8, pp. 1–8 (English). External Links: ISSN 1664-1078, Link, Document Cited by: §3.1, §3.2.
  • K. Halskov and P. Dalsgård (2006) Inspiration card workshops. In Proceedings of the 6th Conference on Designing Interactive Systems, DIS ’06, New York, NY, USA, pp. 2–11. External Links: ISBN 1595933670, Link, Document Cited by: §1.
  • J. Hartmann, C. Holz, E. Ofek, and A. D. Wilson (2019) RealityCheck: Blending Virtual Environments with Situated Physical Reality. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, pp. 1–12. External Links: ISBN 978-1-4503-5970-2, Link Cited by: §5.3.3.
  • A. Hettiarachchi and D. Wigdor (2016) Annexing Reality: Enabling Opportunistic Use of Everyday Objects as Tangible Proxies in Augmented Reality. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems, CHI ’16, San Jose, California, USA, pp. 1957–1967. External Links: ISBN 978-1-4503-3362-7, Link, Document Cited by: §5.3.3.
  • A. Ishii, I. Suzuki, S. Sakamoto, K. Kanai, K. Takazawa, H. Doi, and Y. Ochiai (2016) Optical Marionette: Graphical Manipulation of Human’s Walking Direction. In Proceedings of the 29th Annual Symposium on User Interface Software and Technology, UIST ’16, New York, NY, USA, pp. 705–716. External Links: ISBN 978-1-4503-4189-9, Link, Document Cited by: §3.2, §4.2, §5.3.3, §8.2.
  • R. Jungk and N. Müllert (1987) Future workshops: how to create desirable futures. Inst. for Social Inventions, UK. Cited by: §1.
  • L. Kohli (2010) Redirected touching: Warping space to remap passive haptics. In 2010 IEEE Symposium on 3D User Interfaces (3DUI), Waltham, MA, USA, pp. 129–130. External Links: Document Cited by: §1, §3.2, §5.3.1, §5.3.3.
  • R. A. Krueger and M. A. Casey (2015) Focus groups: a practical guide for applied research. 5th ed. edition, Sage Publications, Thousand Oaks, CA. Cited by: §1, §4.
  • O. Lab (2020) OhShape, a New VR Rhythm Game. (en-US). External Links: Link Cited by: §5.5.
  • E. Langbehn, P. Lubos, G. Bruder, and F. Steinicke (2017) Bending the Curve: Sensitivity to Bending of Curved Paths and Application in Room-Scale VR. IEEE Transactions on Visualization and Computer Graphics 23 (4), pp. 1389–1398. Note: Conference Name: IEEE Transactions on Visualization and Computer Graphics External Links: ISSN 1941-0506, Document Cited by: §5.3.3.
  • E. Langbehn, F. Steinicke, M. Lappe, G. F. Welch, and G. Bruder (2018) In the blink of an eye: leveraging blink-induced suppression for imperceptible position and orientation redirection in virtual reality. ACM Transactions on Graphics 37 (4), pp. 66:1–66:11. External Links: ISSN 0730-0301, Link, Document Cited by: §5.3.3.
  • K. Lebeck, T. Kohno, and F. Roesner (2016) How to safely augment reality: challenges and directions. In Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications, HotMobile ’16, New York, NY, USA, pp. 45–50. External Links: ISBN 9781450341455, Link, Document Cited by: §7.
  • K. Lebeck, K. Ruth, T. Kohno, and F. Roesner (2017) Securing Augmented Reality Output. In 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, pp. 320–337. Note: ISSN: 2375-1207 External Links: Document Cited by: §7.
  • K. Lebeck, K. Ruth, T. Kohno, and F. Roesner (2018) Towards security and privacy for multi-user augmented reality: foundations with end users. In 2018 IEEE Symposium on Security and Privacy (SP), Vol. , San Francisco, CA, USA, pp. 392–408. External Links: Document Cited by: §8.2.
  • A. Lecuyer, S. Coquillart, A. Kheddar, P. Richard, and P. Coiffet (2000) Pseudo-haptic feedback: can isometric input devices simulate force feedback?. In Proceedings IEEE Virtual Reality 2000 (Cat. No.00CB37048), New Brunswick, NJ, USA, pp. 83–90. Note: ISSN: 1087-8270 External Links: Document Cited by: §1, §3.2.
  • A. Lécuyer, J. Burkhardt, and L. Etienne (2004) Feeling bumps and holes without a haptic interface: the perception of pseudo-haptic textures. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 239–246. External Links: ISBN 978-1-58113-702-6, Link Cited by: §1, §3.2.
  • D. Lindlbauer and A. D. Wilson (2018) Remixed reality: manipulating space and time in augmented reality. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, pp. 1–13. External Links: ISBN 9781450356206, Link Cited by: §5.3.3.
  • P. Lopes, A. Ion, and P. Baudisch (2015) Impacto: Simulating Physical Impact by Combining Tactile Stimulation with Electrical Muscle Stimulation. In Proceedings of the 28th Annual ACM Symposium on User Interface Software & Technology, UIST ’15, New York, NY, USA, pp. 11–19. External Links: ISBN 978-1-4503-3779-3, Link, Document Cited by: §1.
  • M. Madary and T. K. Metzinger (2016) Real Virtuality: A Code of Ethical Conduct. Recommendations for Good Scientific Practice and the Consumers of VR-Technology. Frontiers in Robotics and AI 3, pp. 3. External Links: ISSN 2296-9144, Link, Document Cited by: §3.3.
  • T. Markussen and E. Knutz (2013) The poetics of design fiction. In Proceedings of the 6th International Conference on Designing Pleasurable Products and Interfaces, DPPI ’13, New York, NY, USA, pp. 231–240. External Links: ISBN 978-1-4503-2192-1, Link, Document Cited by: §4.
  • M. Meehan, B. Insko, M. Whitton, and F. P. Brooks (2002) Physiological measures of presence in stressful virtual environments. In Proceedings of the 29th annual conference on Computer graphics and interactive techniques, SIGGRAPH ’02, New York, NY, USA, pp. 645–652. External Links: ISBN 978-1-58113-521-3, Link, Document Cited by: §3.1.
  • R. A. Montano Murillo, S. Subramanian, and D. Martinez Plasencia (2017) Erg-O: Ergonomic Optimization of Immersive Virtual Environments. In Proceedings of the 30th Annual ACM Symposium on User Interface Software and Technology, UIST ’17, Québec City, QC, Canada, pp. 759–771. External Links: ISBN 978-1-4503-4981-9, Link, Document Cited by: §3.2.
  • D. Morgan (1996) Focus groups as qualitative research. 2nd ed. edition, Sage Publications, Thousand Oaks, CA. Cited by: §1, §4.
  • J. O’Hagan, J. R. Williamson, M. McGill, and M. Khamis (2021) Safety, power imbalances, ethics and proxy sex: surveying in-the-wild interactions between vr users and bystanders. In 2021 IEEE International Symposium on Mixed and Augmented Reality (ISMAR), Vol. , Bari, Italy, pp. 211–220. External Links: Document Cited by: §2, §8.1.
  • B. Odeleye, G. Loukas, R. Heartfield, and F. Spyridonis (2021) Detecting framerate-oriented cyber attacks on user experience in virtual reality. In 1st International Workshop on Security for XR and XR for Security, Vol. , Vancouver, B.C., Canada, pp. 1–5. Cited by: §3.3.
  • K. Pearlman (2020) Virtual reality brings real risks: are we ready?. USENIX Association, San Francisco, CA. Note: Accessed: 2010-12-01 External Links: Link Cited by: §7.
  • M. I. Posner, M. J. Nissen, and R. M. Klein (1976) Visual dominance: An information-processing account of its origins and significance. Psychological Review 83 (2), pp. 157–171. Note: Place: US Publisher: American Psychological Association External Links: ISSN 1939-1471(Electronic),0033-295X(Print), Document Cited by: §1, §3.2.
  • S. Razzaque, D. Swapp, M. Slater, M. C. Whitton, and A. Steed (2002) Redirected walking in place. In Proceedings of the workshop on Virtual environments 2002, EGVE ’02, Goslar, DEU, pp. 123–130. External Links: ISBN 978-1-58113-535-0 Cited by: §1, §3.2, §5.3.3, §6.1.
  • M. Rietzler, F. Geiselhart, J. Gugenheimer, and E. Rukzio (2018) Breaking the Tracking: Enabling Weight Perception using Perceivable Tracking Offsets. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, CHI ’18, Montreal QC, Canada, pp. 1–12. External Links: ISBN 978-1-4503-5620-6, Link, Document Cited by: §1, §3.2, §5.3.3, §6.2, §6.
  • M. Rietzler, J. Gugenheimer, T. Hirzle, M. Deubzer, E. Langbehn, and E. Rukzio (2018) Rethinking Redirected Walking: On the Use of Curvature Gains Beyond Perceptual Limitations and Revisiting Bending Gains. In 2018 IEEE International Symposium on Mixed and Augmented Reality (ISMAR), Munich, Germany, pp. 115–122. Note: ISSN: 1554-7868 External Links: Document Cited by: §5.3.3, §7.
  • F. Roesner, T. Kohno, and D. Molnar (2014) Security and privacy for augmented reality systems. Communications of the ACM 57 (4), pp. 88–96. External Links: ISSN 0001-0782, Link, Document Cited by: §7.
  • D. K. Rosner, S. Kawas, W. Li, N. Tilly, and Y. Sung (2016) Out of time, out of place: reflections on design workshops as a research method. In Proceedings of the 19th ACM Conference on Computer-Supported Cooperative Work & Social Computing, CSCW ’16, New York, NY, USA, pp. 1131–1141. External Links: ISBN 9781450335928, Link, Document Cited by: §1.
  • M. Samad, E. Gatti, A. Hermes, H. Benko, and C. Parise (2019) Pseudo-Haptic Weight: Changing the Perceived Weight of Virtual Objects By Manipulating Control-Display Ratio. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, CHI ’19, Glasgow, Scotland Uk, pp. 1–13. External Links: ISBN 978-1-4503-5970-2, Link, Document Cited by: §3.2, §5.3.3.
  • M. V. Sanchez-Vives and M. Slater (2005) From presence to consciousness through virtual reality. Nature Reviews Neuroscience 6 (4), pp. 332–339 (en). Note: Number: 4 Publisher: Nature Publishing Group External Links: ISSN 1471-0048, Link, Document Cited by: §3.1.
  • L. Shapira and D. Freedman (2016) Reality Skins: Creating Immersive and Tactile Virtual Environments. In 2016 IEEE International Symposium on Mixed and Augmented Reality (ISMAR), Merida, Mexico, pp. 115–124. External Links: Document Cited by: §5.3.3.
  • T. B. Sheridan (1992) Musings on Telepresence and Virtual Presence. Presence: Teleoperators and Virtual Environments 1 (1), pp. 120–126 (en). External Links: ISSN 1054-7460, Link, Document Cited by: §3.1.
  • J. G. Shin, D. Kim, C. So, and D. Saakes (2020) Body Follows Eye: Unobtrusive Posture Manipulation Through a Dynamic Content Position in Virtual Reality. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, CHI ’20, New York, NY, USA, pp. 1–14. External Links: ISBN 978-1-4503-6708-0, Link, Document Cited by: §3.2, §4.2.
  • A. L. Simeone, E. Velloso, and H. Gellersen (2015) Substitutional Reality: Using the Physical Environment to Design Virtual Reality Experiences. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, CHI ’15, New York, NY, USA, pp. 3307–3316. External Links: ISBN 978-1-4503-3145-6, Link, Document Cited by: §5.3.3.
  • M. Slater, C. Gonzalez-Liencres, P. Haggard, C. Vinkers, R. Gregory-Clarke, S. Jelley, Z. Watson, G. Breen, R. Schwarz, W. Steptoe, D. Szostak, S. Halan, D. Fox, and J. Silver (2020) The Ethics of Realism in Virtual and Augmented Reality. Frontiers in Virtual Reality 1, pp. 1–13 (English). Note: Publisher: Frontiers External Links: ISSN 2673-4192, Link, Document Cited by: §3.3, §7, §8.2.
  • M. Slater and S. Wilbur (1997) A Framework for Immersive Virtual Environments (FIVE): Speculations on the Role of Presence in Virtual Environments. Presence: Teleoperators and Virtual Environments 6 (6), pp. 603–616. External Links: Link, Document Cited by: §3.1.
  • M. Slater (2009) Place illusion and plausibility can lead to realistic behaviour in immersive virtual environments. Philosophical Transactions of the Royal Society B: Biological Sciences 364 (1535), pp. 3549–3557. Note: Publisher: Royal Society External Links: Link, Document Cited by: §3.1.
  • B. Spanlang, J. Normand, D. Borland, K. Kilteni, E. Giannopoulos, A. Pomés, M. González-Franco, D. Perez-Marcos, J. Arroyo-Palacios, X. N. Muncunill, and M. Slater (2014) How to Build an Embodiment Lab: Achieving Body Representation Illusions in Virtual Reality. Frontiers in Robotics and AI 1, pp. 1–22 (English). Note: Publisher: Frontiers External Links: ISSN 2296-9144, Link, Document Cited by: §3.1.
  • J. S. Spiegel (2018) The Ethics of Virtual Reality Technology: Social Hazards and Public Policy Recommendations. Science and Engineering Ethics 24 (5), pp. 1537–1550 (en). External Links: ISSN 1471-5546, Link, Document Cited by: §7.
  • F. Steinicke, G. Bruder, J. Jerald, H. Frenz, and M. Lappe (2010) Estimation of Detection Thresholds for Redirected Walking Techniques. IEEE Transactions on Visualization and Computer Graphics 16 (1), pp. 17–27. Note: Conference Name: IEEE Transactions on Visualization and Computer Graphics External Links: ISSN 1941-0506, Document Cited by: §1, §3.2, §5.3.3.
  • Q. Sun, A. Patney, L. Wei, O. Shapira, J. Lu, P. Asente, S. Zhu, M. Mcguire, D. Luebke, and A. Kaufman (2018) Towards virtual reality infinite walking: dynamic saccadic redirection. ACM Transactions on Graphics 37 (4), pp. 67:1–67:13. External Links: ISSN 0730-0301, Link, Document Cited by: §3.2, §4.2, §5.3.3.
  • M. Usoh, K. Arthur, M. C. Whitton, R. Bastos, A. Steed, M. Slater, and F. P. Brooks (1999) Walking > walking-in-place > flying, in virtual environments. In Proceedings of the 26th annual conference on Computer graphics and interactive techniques, SIGGRAPH ’99, USA, pp. 359–364. External Links: ISBN 978-0-201-48560-8, Link, Document Cited by: §3.3.
  • R. J. van Beers, A. C. Sittig, and J. J. Gon (1999) Integration of proprioceptive and visual position-information: An experimentally supported model. Journal of Neurophysiology 81 (3), pp. 1355–1364 (eng). External Links: ISSN 0022-3077, Document Cited by: §1, §3.2.
  • R. J. van Beers, D. M. Wolpert, and P. Haggard (2002) When Feeling Is More Important Than Seeing in Sensorimotor Adaptation. Current Biology 12 (10), pp. 834–837 (en). External Links: ISSN 0960-9822, Link, Document Cited by: §3.2.
  • VR Fitness Insider (2018) Beat Saber - GANGNAM STYLE PERFECT. External Links: Link Cited by: §5.5.
  • D. H. Warren and W. T. Cleaves (1971) Visual-proprioceptive interaction under large amounts of conflict. Journal of Experimental Psychology 90 (2), pp. 206–214 (eng). External Links: ISSN 0022-1015, Document Cited by: §3.2.
  • S. Weech, S. Kenny, M. Lenizky, and M. Barnett-Cowan (2020) Narrative and gaming experience interact to affect presence and cybersickness in virtual reality. International Journal of Human-Computer Studies 138, pp. 102398 (en). External Links: ISSN 1071-5819, Link, Document Cited by: §5.5.
  • T. Wilde (2017) Man dies in VR accident, reports Russian news agency. (en). Note: Accessed: 2021-09-01 External Links: Link Cited by: §2.
  • G. Wilson and M. McGill (2018) Violent Video Games in Virtual Reality: Re-Evaluating the Impact and Rating of Interactive Experiences. In Proceedings of the 2018 Annual Symposium on Computer-Human Interaction in Play, CHI PLAY ’18, New York, NY, USA, pp. 535–548. External Links: ISBN 978-1-4503-5624-4, Link, Document Cited by: §7.
  • J. (. Yang, C. Holz, E. Ofek, and A. D. Wilson (2019) DreamWalker: Substituting Real-World Walking Experiences with a Virtual Reality. In Proceedings of the 32nd Annual ACM Symposium on User Interface Software and Technology, UIST ’19, New Orleans, LA, USA, pp. 1093–1107. External Links: ISBN 978-1-4503-6816-2, Link, Document Cited by: §5.3.3.
  • N. Yee, J. N. Bailenson, and N. Ducheneaut (2009) The Proteus Effect: Implications of Transformed Digital Self-Representation on Online and Offline Behavior. Communication Research 36 (2), pp. 285–312 (en). Note: Publisher: SAGE PublicationsSage CA: Los Angeles, CA External Links: Link, Document Cited by: §8.2.
  • R. Yuste, J. Genser, and S. Herrmann (2021) It’s time for neuro-rights. Center for International Relations and Sustainable Development. Note: Accessed: 2021-12-01 External Links: Link Cited by: §7.
  • R. Yuste, S. Goering, G. Bi, J. M. Carmena, A. Carter, J. J. Fins, P. Friesen, J. Gallant, J. E. Huggins, J. Illes, et al. (2017) Four ethical priorities for neurotechnologies and ai. Nature News 551 (7679), pp. 159. Cited by: §7.