When Tim Cook unveiled Apple’s ARKit augmented-reality platform on Monday at its 2017 World Wide Developers Conference, his company joined a growing list of tech heavyweights—Facebook, Google, and Microsoft among them—who are jumping with both virtual feet into AR.

Today, augmented reality consists mostly of people using smartphones to capture mythical creatures in Pokemon Go, display information about nearby businesses using Yelp’s Monocle feature, or add vomit rainbows to their Snapchat photos. But in a few years, we may be donning AR glasses that can overlay virtual objects on top of the real world. AR displays are also set to increasingly pop up in retail stores, on advertising billboards, and on the windshields of our cars.  

Digi-Capital, an advisory group for mergers and acquisitions, predicts that the market for augmented hardware and software will exceed $80 billion by 2021.

In short, we’ll be moving through a reality where the boundaries between the physical and digital worlds are rapidly evaporating. And that raises a host of privacy and security threats, some of them familiar, others brand-new.

Data collection gone wild

Because AR is often tied to a specific place—that Charmander is lurking outside your favorite bookstore, a 4-star Yelp rating appears to be floating above the restaurant next door—an AR device or app usually needs to know your location.

That data alone can reveal a lot about your habits, but it’s only the beginning, says Peter Reinhardt, CEO of Segment, which helps Fortune 500 companies manage their customer data. AR devices could end up collecting biometric and personal health data too.  

“For an AR app to work, it needs to understand where you are and what you’re looking at,” he says. “It can also tell what you’re interested in, based on how long your vision lingers on something. A device on your face could measure pupil dilation and even brain activity, which could indicate how excited you are, if you’re stressed out, or when you’re lying.”

Using your location, activity, and state of mind, companies can infer a wide range of things about you and use that data to predict what you might want to do next, he adds. And, as usual, the company that collects this data can use it for any purpose, limited only by the terms of its privacy policy.

Glassholes, the sequel

But even if you never use an AR device, your privacy could be compromised by others who do, notes Charles Lee Mudd Jr., principal attorney with Mudd Law, a technology-focused firm based in Chicago. Someone wearing a device like Google Glass or Snap Spectacles could capture video of you in a public space and post it to Facebook, where facial-recognition software could identify you by name, Mudd says.

“Say I’m at my local McDonald’s, and someone uploads an AR clip of me to Twitter or Facebook,” he says. “While being at McDonald’s is somewhat innocuous, being somewhere else might not be. The privacy implications could be significant.”

While people can do much the same thing today with smartphones, Mudd admits, AR will make it easier and more compelling.

“It’s very easy for people to do these things to their peers, friends, or enemies, and get a widespread audience by posting them to the Net,” he says. “AR enhances that ability and multiplies the opportunities for these issues to arise.”

Fraudian slips

Many of the same AR features that pose potential threats, like location and behavior tracking, might also one day keep fraudsters from draining your bank account.

An AR-enabled device could be used to passively authenticate your identity using a retinal scan or some other biometric, notes Seth Ruden, senior fraud consultant for payments firm ACI Worldwide. It could even use your behavior to identify you. Conversely, if a user’s head is cocked in an unusual direction, or he’s holding the device in his right hand instead of his left, that could indicate that the user isn’t actually you, he says.

A banking app could even ask you to perform some action in front of the phone’s camera—like, say, draw a figure 8 in the air with your finger—and combine that with your location to identify you as a human (not a bot) using your normal ATM, says Ruden.

Besides making financial transactions more secure, AR may also allow us to kiss passwords, PINs, and ATM cards goodbye, he adds.

Hacking AR

Where things really get interesting is if someone hacks an AR app or game to insert their own version of mixed reality.

We’ve already seen people exploit the popularity of Pokemon Go to spread malware via bogus guides to the popular AR game. As augmented wearables become more widespread, they could attract the attention of attackers who deliberately manipulate the images in a person’s field of view—essentially, substituting fake virtual objects in place of real virtual objects, says Mandeep Khera, CMO of Arxan Technologies, a provider of enterprise application security solutions for mobile apps and Internet-connected devices.

“A future malicious application might overlay an incorrect speed limit on top of a real speed limit sign, or place a fake sign where there is none,” he says. “It might intentionally provide incorrect translations for real-world text in a foreign language, or cause sensory overload in a user by flashing bright lights or playing loud sounds.”

AR hacks could also create a new breed of ransomware. A surgeon who relies on a device like Microsoft HoloLens to guide her procedures could be forced to pay a bitcoin ransom or lose control of the device, Khera says. And these exploits could be used to foster cyberterrorism and other mayhem.

Because they’re relatively new and highly complex, AR devices and apps will be more vulnerable and thus more attractive to attackers, he adds.

“Hackers always go after the weakest link,” Khera says. “They used to attack at the network level. After people began using firewalls, they moved on to Web apps and browsers, and then to mobile and connected devices. AR is next.”